How to deploy more SSL sites with fewer SSL certificates
There is an increasing need to deploy SSL sites (SPDY, HTTP/2, and SSL Everywhere). Traditional SSL sites require deploying one SSL certificate per site. This gets very expensive ordering and maintaining many SSL certificates. Consolidating SSL resources by utilizing wildcard and Subject Alternative Names (SAN) certificates reduces the maintenance and cost of deploying SSL sites.
A quick review on how SSL works. You type a name into your web browser (i.e. www.mycompany.example), the web browser connects and verifies that the certificate that is presented is signed by a trusted party and that the name matches the requested name. Should any of these checks fail, you get a nasty-gram from your browser. In the past this required a single SSL certificate per IP address, but Server Name Indication (SNI) makes it possible to attach multiple SSL certificates to a single IP address as long as the client supports SNI.
A traditional certificate only contains a single name.
A wildcard cert replaces a single name with a wildcard character. Browsers will treat the “*” character as any valid name.
Subject Alternative Names
SAN cert are similar to a traditional SSL cert with the added bonus that you can provide a list of “alternative” names that are valid. For example a SAN cert could be limited to only the following names
What type of cert to use
These examples highlight my recommendations for what type of certificate to use. Sites that transact sensitive date (i.e. SSN or CCN) should have their own certificate. Sites that have a low level of security and a high number of names would benefit from a wildcard certificate. A middle ground would be a SAN certificate. When using SAN certs it is best to group together by organization or security classification.
How to consolidate services
The above should help in reducing the number of certificates that you have. If you want to further reduce the number of IP addresses that you’re using for your sites please read my companion article on Routing HTTP by request headers. There's also another DevCentral article about SSL Profiles that you can learn more about SSL.