[FX.php List] [OFF] Basic SSL & DNS clarification

Philip Lamb phil at eden.net.nz
Thu Feb 14 19:44:31 MST 2013


The answers given so far are incorrect.

>>>> 1) Given the following two sites:
>>>> abc.domain.com/apples/
>>>> abc.domain.com/bananas/
>>>> 
>>>> Is it correct that these two sites:
>>>> a) Can share one SSL cert

Yes. 

>>>> b) Must be on the same server

No. You can use different servers.

SSL certificates are not tied to IP addresses, nor machines. The only requirement is that the hostname of the HTTP request resolve to the hostname in the certificate. For the server to actually use the certificate it must also hold the private key tied to the certificate -- sometimes this can be difficult to arrange.

Think about a big site which uses round-robin DNS with https. E.g. https://www.google.com. Multiple IP addresses are returned for that domain name query, and each IP address has a server which answers to www.google.com on port 443. 

>>>> 2) Given the following two sites:
>>>> apples.domain.com/
>>>> bananas.domain.com/
>>>> 
>>>> Is it correct that these two sites:
>>>> a) Must each have their own SSL cert

No. You can use a wildcard SSL certificate.

>>>> b) Can be on the same server or on two different servers
>>>> 

Yes to both. Multihosting SSL sites on a single IP requires browser support, but it is supported by all the modern browsers. See http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port.

Regards,
Phil.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
Url : http://mail.iviking.org/pipermail/fx.php_list/attachments/20130215/8b7c8204/smime.bin


More information about the FX.php_List mailing list