Saturday, January 29, 2011

Subdomains and SSL > How can I provide SSL on *.domain.com and also at the root.

I know that you can provide SSL at any subdomain with a wildcard SSL cert, but how can you do that and also have SSL at the root (ie, when somebody just types https://example.com/ without the www)? Would I just install the wild card cert, and a second cert for handling root :443 requests? I can't use mod_rewrite because the browser won't get that far before alerting the user of the lack of an SSL.

From serverfault orokusaki

  • You need 2 certificates for this to work I'm afraid.

    : AFAIK, you can only use 1 certificate per ip-address.
    grawity : vorik: "TLS Server Name Indication"
    From Joachim

  • One certificate with all the domains described in the 'X509v3 Subject Alternative Name' attribute may do the job. Most modern web browsers support this AFAIK, though I am not sure if the well-known commercial CAs do issue such certificates.

    grawity : http://wiki.cacert.org/VhostTaskForce
    From Jacek Konieczny

  • I'm using mod_rewrite for this purpose just fine, I redirect request from https://domain.com/application/ to https://www.domain.com/application/ using the following rules:

    RewriteEngine On

# Use correct hostname
RewriteCond %{HTTP_HOST} ^domain\.com$
RewriteRule ^(.*)$ https://www.domain.com/$1 [R=301, L]

    So you'd just need one wildcard SSL certificate.

    orokusaki : @Matthias Vance How does that work. If the user reaches `https://mydomain.com` first, there browser will try to connect via SSL and fail before a redirect can be issued, right?
    Matthias Vance : I tested this on one of our systems, but that happens to have a root and "www." certificate. So, the test is flawed, but I think it's still worth trying out out, because the SSL certificate will get sent, no matter what hostname you use (over SSL). So the browser should get the redirect just fine.
    From Matthias Vance

  • Many CAs (including Comodo, and DigiCert) will include the base domain name as a free SAN in their wildcard certificates: http://www.sslshopper.com/ssl-certificate-comparison.html?ids=26,13,45

    So you could use the one wildcard certificate to secure domain.com and anything.domain.com. That way you don't get any errors, but you still might want to redirect them to www.

    From Robert
Posted by Mu Cat at 5:41 PM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)