Home / server / Questions / 111244
In Process
MotionGrafika
Asked: 2010-02-10 07:19:48 +0800 CST

Dedicated IP for SSL

  • 772

I'll be needing a Dedicated IP & SSL for a website. I've noticed that SSL will work for either www or canonical name - but not both.

  1. So does mean that Dedicated IP would be set to only one of them ?

  2. If I set SSL for www then if a user goes to a URL manually without the www it would show invalid certificate - how do I bypass this ? mod_rewrite in htaccess ?

  3. IF I need SSL for a subdomain, thats another SSL Certificate & Dedicated IP to purchase ?

ssl

4 Answers

  1. The best option is to go with an SSL Provider that will include the base domain as a free Subject Alternative Name in your certificate. CAs like GoDaddy, Comodo, DigiCert, and GlobalSign all do this: http://www.sslshopper.com/ssl-certificate-comparison.html?ids=17,44,66,37

    Then you won't receive any errors, but redirecting to a standard name (with or without the www) is still recommended.

    • 4

  2. There are two different types of SSL certs, one which is wildcarded and another which is specific to the domain. Most use the latter as it is less expensive.

    Yes, You can create redirects in htaccess to go where you need to go. DNS Can also help with this.

    If you need it for subdomains, check into a wildcard SSL cert. That is the only way you'll be able to get all the sub-domains include without individual cert purchases.

    http://wiki.cacert.org/WildcardCertificates

    • 0

  3. To answer the last question first.

    There is a thing called a wildcard SSL certificate. What that means is all subdomains are covered by the certificate. e.g. *.mydomain.com

    If you were to purchase one of these which can be 5-10 times more expensive you will solve the first problem as well.

    If you do stick with an ordinary SSL certificate I would suggest rewriting to one of the domain types.. either with the www or without. As a general rule you should always do this anyhow. Decide which one you prefer (my preference is always without) and create a mod_rewrite rule that 301 redirects (pernament redirect)

    here is how you can do that:

    In your relevant apache config file for that domain :

       ServerAdmin [email protected]

   ServerName www.example.com

   ServerAlias example.com

    . . . 

      RewriteCond %{HTTP_HOST} ^www\.example\.com$ [NC]

  RewriteRule ^(.*)$ http://example.com$1 [R=301,L]
    • 0

    1. There's no strict requirement for the reverse DNS to resolve to the hostname of the website. There's only a requirement that the hostname in the SSL certificate resolves to the IP address of the host that serves the site (and that there are no other SSL sites on the same IP, unless they can all use a wildcard cert), as the certificate is sent before any HTTP protocol is exchanged.

    2. I believe Apache can handle hostname negotiation even when using SSL, so you could send a HTTP 301 Moved Permanently to redirect the user to the canonical URL.

    3. Wildcard certificates. They're noticeably more expensive, but does allow for having the same cert for multiple sites.

    • 0