10

Example:

Wildcard SSL certificate for *.example.com installed on two different boxes.

hostEU.example.com  A  60.70.80.90
hostUS.example.com  A  200.210.220.240

I assume this is a perfectly valid scenario, where the actual hostnames do not reside on the same IP (or even the same box for that sake).

Is my assumption correct?

mr-euro
  • 838
  • 3
  • 14
  • 31

2 Answers2

9

Yes, there is not technical limitation for this; except if your CA prohibits this use explicitly.

The most frequently limitation given by a CA is on the "physical servers", but may be someone limits even on IP basis.

As an example, Geotrust Wildcard Ssl says:

If you need to span the wildcard certificate across multiple physical servers, you may purchase additional licenses.

drAlberT
  • 10,871
  • 7
  • 38
  • 52
  • 5
    Can you give a real-world example of a CA effectively prohibiting the use of a wildcard cert on multiple IP addresses? – womble Nov 03 '09 at 17:58
  • 2
    I don't think I have seen anything mentioning multiple IP addresses, but I have seen several examples where installing the cert on multiple 'servers' violates the TOS. I wasn't checking the wildcard TOS specifically. See the Geotrust QuickSSL cert for an example of that is tied to one 'server'. – Zoredache Nov 03 '09 at 18:13
  • Yup - GlobalSign wildcard certs can only be installed on 3 hosts, unless you buy licenses for more. – RainyRat Nov 03 '09 at 18:18
  • 5
    Pfft, tell them to go stuff their ToS up their collective fundaments. Ridiculous and inappropriate restrictions ftl. – womble Nov 03 '09 at 18:46
  • 3
    @womble, I don't think anyone disagrees. In many ways the whole SSL Certificate system is a scam. (http://blogs.techrepublic.com/security/?p=2550) – Zoredache Nov 03 '09 at 18:54
  • 2
    Even if prohibited by the CA, can they actually find out? And if so, what can they do, revoke it? – mr-euro Nov 03 '09 at 18:59
  • And (apart from making additional money) why would the CA prohibit it? – mr-euro Nov 03 '09 at 19:00
  • I found a related question: http://serverfault.com/questions/51067/which-wildcard-ssl-cert-vendors-allow-you-to-set-up-the-same-cert-on-multiple-ser – mr-euro Nov 03 '09 at 19:04
  • @mr-euro, they could potentially find out, or at least get see something that looks suspicious if they made several make requests to the the site, and got back a different result for the server/OS. I don't of any CAs with a such a policy that are actively checking though. – Zoredache Nov 03 '09 at 20:27
  • Thx for all the helpful comments. – mr-euro Nov 04 '09 at 09:34
  • 1
    @mr-euro - yes they can just revoke the ssl. And the reason is just to make money, like the entire SSL business is. It's a rip-off but they have the consumer market cornered so you have to play by their rules. – Coops Nov 05 '09 at 08:41
0

I know a lot of CAs do limit you to set number of "physical" server. Certainly my experience of Comodo is such.

But can the ToS being avoiding when you deploy on a cluster of "virtual" machines?

Coops
  • 5,967
  • 1
  • 31
  • 52