How to deploy more SSL sites with fewer SSL certificates

There is an increasing need to deploy SSL sites (SPDY, HTTP/2, and SSL Everywhere). Traditional SSL sites require deploying one SSL certificate per site. This gets very expensive ordering and maintaining many SSL certificates. Consolidating SSL resources by utilizing wildcard and Subject Alternative Names (SAN) certificates reduces the maintenance and cost of deploying SSL sites.

SSL Review

A quick review on how SSL works. You type a name into your web browser (i.e. www.mycompany.example), the web browser connects and verifies that the certificate that is presented is signed by a trusted party and that the name matches the requested name. Should any of these checks fail, you get a nasty-gram from your browser. In the past this required a single SSL certificate per IP address, but Server Name Indication (SNI) makes it possible to attach multiple SSL certificates to a single IP address as long as the client supports SNI.

Traditional Cert

A traditional certificate only contains a single name.

store.mycompany.example

Wildcard Certs

A wildcard cert replaces a single name with a wildcard character. Browsers will treat the “*” character as any valid name.

*.blog.mycompany.example

Subject Alternative Names

SAN cert are similar to a traditional SSL cert with the added bonus that you can provide a list of “alternative” names that are valid. For example a SAN cert could be limited to only the following names

     www.hr.mycompany.example
benefits.hr.mycompany.example
      jobs.hr.mycompany.example

What type of cert to use

These examples highlight my recommendations for what type of certificate to use. Sites that transact sensitive date (i.e. SSN or CCN) should have their own certificate. Sites that have a low level of security and a high number of names would benefit from a wildcard certificate. A middle ground would be a SAN certificate. When using SAN certs it is best to group together by organization or security classification.

How to consolidate services

The above should help in reducing the number of certificates that you have. If you want to further reduce the number of IP addresses that you’re using for your sites please read my companion article on Routing HTTP by request headers.  There's also another DevCentral article about SSL Profiles that you can learn more about SSL.

Published Apr 14, 2015
Version 1.0
  • The distinction that I was making with wildcard certs is that they will match more names than a traditional / SAN cert. The best analogy I can think of is an ID card that said a person was from Virginia vs. named John Smith. Saying a person is from Virginia is valid, but could apply to many people vs. named John Smith is more precise. I would trust the more precise identifier.
  • Hi ,By Above it looks like that WildCard Cert is l,ower in Security Level .. Why ? all use same SSL Ciphers ?