87

I am creating a websocket server which will live on ws.mysite.example. I want the web socket server to be SSL encrypted as well as domain.example to be SSL encrypted. Do I need to purchase a new certificate for each subdomain I create? Do I need a dedicated IP address for each subdomain I create? I will likely have more than one subdomain.

I am using NGINX and Gunicorn running on Ubuntu.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
user974407
  • 1,011
  • 1
  • 8
  • 10

4 Answers4

97

I'll answer this in two steps...

Do You Need an SSL Cert for Each Subdomain ?

Yes and No, it depends. Your standard SSL certificate will be for single domain, say www.domain.example. There are different types of certs you can aside from the standard single domain cert: wildcard and multi domain certs.

  • A wild card cert will be issued for something like *.domain.example and clients will treat this as valid for any domain that ends with domain.example, such as www.domain.example or ws.domain.example.

  • A multi domain cert is valid for a predefined list of domain names. It does this by using the Subject Alternative Name field of the cert. For example, you could tell an CA that you want a multi domain cert for domain.example and ws.mysite.example. This would allow it to be used for both domain names.

If neither of these options work for you, then you would need to have two different SSL certs.

Do I Need a Dedicated IP for Each Subdomain ?

Again, this is a yes and no...it all depends on your web/application server. I am a Windows guy, so I will answer with IIS examples.

  • If you are running IIS7 or older, then you are forced to bind SSL certs to an IP and you can not have multiple certs assigned to a single IP. This causes you to need to have a different IP for each subdomain if you are using a dedicated SSL cert for each subdomain. If you are using a multi domain cert or a wildcard cert, then you can get away with the single IP as you only have one SSL cert to begin with.

  • If you are running IIS8 or later, then the same applies. However, IIS8+ includes support for something called Server Name Indication (SNI). SNI allows you to bind an SSL cert to a hostname, not to an IP. So the hostname (Server Name) that is used to make the request is used to indicate which SSL cert that IIS should use to for the request.

  • If you use a single IP, then you can configure websites to respond to requests for specific hostnames.

I know that Apache and Tomcat also have support for SNI, but I am not familiar them enough to know what versions support it.

Bottom Line

Depending on your application/web server and what type of SSL certs you are able to obtain will dictate your options.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
pkeenan
  • 1,481
  • 9
  • 6
  • I am using gunicorn and nginx on Ubuntu. – user974407 Jan 10 '14 at 18:47
  • In that case, SNI should be available as long as OpenSSL (for nginx) was complied with SNI support. At as per the link in GomoX's answer. – pkeenan Jan 10 '14 at 18:51
  • Some single sub-domain certificates list the main domain as an alternative, so you might find you can do www.domain.com and domain.com on one cert on one IP address. Be careful to consider your target audience when considering SNI: IE on XP does not support it which will affect you with some corporate users, neither do some old mobile browsers like the stock Android one at least up to 2.3.5 which you need to consider if you target mobile devices (here are a lot of Android devices out there running old versions). – David Spillett Jan 10 '14 at 19:22
  • @pkeenan - It would be good if the answer was updated to reflect the technical features that support hostnames and domains without hostnames - http://helpdesk.ssls.com/hc/en-us/articles/203188962-What-is-the-difference-between-www-domain-com-and-domain-com- – Motivated Apr 22 '16 at 06:19
  • > clients will treat this as valid for any domain that ends with 'domain.com', such as 'www.domain.com' or 'ws.domain.com'. This leads me to believe that it would also be valid for `abc.def.domain.com`, is that also the case? – Jeff Jul 04 '18 at 11:20
  • Does a wildcard certificate for `*.example.com` work for both `www.example.com` and `example.com`? – Flux Jul 29 '19 at 09:39
  • Is certificate for `*.domain.example` able to encrypt connections to `domain.example`? – variable Apr 18 '22 at 09:32
  • I think the examples you provide ( `ws` vs`www`) are confusing to some people since many don't realize that `www` is a sub domain. How about `www.subdomain.mydomain.com` and `www.subdomain1.mydomain.com` or `www.subdomain.domain.com` and `www.domain.com` for the wildcard example? – John Aug 20 '22 at 15:22
12

You can get a certificate for each subdomain, a multiple subdomain certificate or a wildcard certificate (for *.yoursite.example).

They typically cost quite a bit more than regular certificates though, and because you share a single certificate they are typically not the best option from a security point of view unless you host an anything.mydomain.example type of application where they are the only workable choice.

You also don't need multiple IP addresses if you have a SNI-capable web server. This said, SNI is only supported in modern browsers (IE6 and below won't work with it). Recent versions of Nginx and Apache support SNI transparently (just add SSL enabled virtual hosts).

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
GomoX
  • 776
  • 3
  • 8
  • 21
  • 1
    What do you mean by "not the best option from a security point of view"? – Motivated Apr 22 '16 at 06:18
  • 6
    A single certificate that is shared for all your hosts turns any breach of a certificate into a domain-level security threat, rather than just affecting whatever subdomain the certificate was attached to. For example, the certificate used for www.yoursite.com which is a WordPress install would be the same as the one for payments.yoursite.com which is a secured credit card processing application. If the first leaks, the second is compromised. – GomoX Apr 26 '16 at 18:48
  • Is certificate for `*.yoursite.example` valid for both `www.yoursite.example` and `yoursite.example`? – variable Apr 18 '22 at 09:33
2

I recommend "getssl" to create SSL Cert for subdomain hosted on another server.

Let't say: 
You have a primary domain (example.com) with SSL Cert on SERVER A. 
You have a subdomain (vm1.example.com) without SSL Cert on SERVER B.

You can use "getssl" to create SSL Cert for subdomain which uses letsencrypt.org

1

You will either need a separate cert for each subdomain, or you can purchase a wildcard cert (*.domain.example) - more expensive, but makes sense if you're hosting a lot of subdomains.

Regarding IPs, it depends on how you set your server up. You can use hostname rules to serve multiple sites from the same IP, or use unique IPs for each one. There are pros and cons to both methods.

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
Jim G.
  • 2,607
  • 1
  • 18
  • 19