Linode Forum :: Setting up SSL for subdomains, IP address how do

Linode Forum
Linode Community Forums

FAQ

Search

Members

Register

Login [ Anonymous ]

Setting up SSL for subdomains, IP address how do

Post new topic Reply to topic

Board index » Linux Community Forums » General Discussion

Previous topic | Next topic

Author

Message

rootof

Post subject: Setting up SSL for subdomains, IP address how do

PostPosted: Sat Apr 21, 2012 11:12 am

Offline

Newbie

Joined: Mon Apr 09, 2012 6:10 am
Posts: 3

So I have one domain with multiple subdomains, which I want to be able to serve through HTTPS. The domains are:

kickassapp.com
www.kickassapp.com (only redirects to kickassapp.com)
hi.kickassapp.com

Now, I'm not certain how it SSL certificates and signing agents work with www. and no-www domains. The one I'm thinking about buying is:

http://www.namecheap.com/ssl-certificates/geotrust-ssl-certificates/rapidssl-certificate.aspx

From what I have understood I will need two certificates, one for kickassapp.com and one for hi.kickassapp.com, if I don't want to go for the wildcard version which costs 10x as much.

But I have also read that you need a dedicated IP. I don't know if it's per domain or just per webserver?

Quote:

You also need to have a dedicated IP address (can be ordered at your web host) and a CSR generated on your web server for the domain name.

Does this mean I need two dedicated IPs, one for kickassapp.com and one for hi.kickassapp.com? I'm not really sure how this relates to what linode offers. I assume that the IP I have assigned is dedicated? Will I need to request a new IP for hi.kickassapp.com? This seems a but overkill for what I'm doing.

I'd love to be sure of what I'm doing before paying for anything...

Top

Profile

Reply with quote

hoopycat

Post subject:

PostPosted: Sun Apr 22, 2012 11:19 am

Offline

Senior Member

Joined: Sat Aug 30, 2008 1:55 pm
Posts: 1739
Location: Rochester, New York

If you use one certificate, it will have to be valid for any hostname you want to use with it. In this case, kickassapp.com, www.kickassapp.com, and hi.kickassapp.com. Some certificate authorities will do this in one certificate, using the Certificate Subject Alternative Name field.

You might be able to optimize this a bit if you use just one hostname for SSL traffic. Most folks aren't going to do https://hi.kickassapp.com/; rather, they're going to go to hi.kickassapp.com and then you're going to redirect to https. What I would do is get a certificate for kickassapp.com (and www.kickassapp.com, if they'll throw it in for free), and redirect hi.kickassapp.com to https://kickassapp.com/hi/. This will throw a cert error if someone goes to https://hi.kickassapp.com/, but it is usually an obvious and self-explanatory error.

Multiple certificates are also a possibility. It is no longer the case that you must have a separate IP address for each SSL certificate (see here for why). BUT! -- and this is a big but, I cannot lie -- it is not supported by all browsers/operating systems yet. Notably, Windows XP and Android 2.x lack support for it.

To summarize: SSL is a mess, certificates are a mess, IPv4 is a mess, Windows XP is a mess, and you'll probably want to present one certificate per IP/port, and that certificate better recognize the hostname the browser is connecting to. Or adopt a "IPv6, SNI, or GTFO" policy and tell XP users without IPv6 to get with the program :-)

_________________

Code:

/* TODO: need to add signature to posts */

Top

Profile

Reply with quote

Post new topic Reply to topic

Board index » Linux Community Forums » General Discussion

Who is online

Users browsing this forum: No registered users and 1 guest

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

RSS