Are there any technical/legal/contractual limitations to using a CA certificate on multiple sites that are running on a
single machine?
multiple machines?
Or are the certificates to be used on a per site basis?
Are there any technical/legal/contractual limitations to using a CA certificate on multiple sites that are running on a
single machine?
multiple machines?
Or are the certificates to be used on a per site basis?
You can have a certificate on multiple machines. But unless the "site name" for all the machines is the same (eg a cluster of web servers all serving for one website) your users will get a mismatch error as the certificate wont match the server name they requested.
You can have a certificate on a single machine with multiple sites (eg virtual hosting) but you will have the same problem as above.
If you are serving multiple "sites" from a single server and want users web browsers and the like to be happy you will need multiple certificates and multiple IP addresses assigned to the host. This is because it is the connection that is certified and encrypted and this happens before the client tells you what site it is interested. This is the limitation of the current SSL protocol. This limitation is addressed in the latest protocol but not everything supports that yet.
Update Feb 2017:
Technology has moved on a fair bit since this question was asked, and I answered it. The SSL protocol has been improved with the addition of SNI allowing the browser to connect and request the domain before the certificate exchange. So you can now have more than one website served with SSL from a single server with a single IP address. SNI is almost universally supported by all browsers so you can be fairly confident that it your sites will be accessible to users. You can also combine multiple site names in to a single cert either with wildcards eg "*.stackexchange.com" and using "Certificate Subject Alt Names" which is what stackexchange is doing if you checkout the ssl cert on this site..
The even better news is that now we have letsencrypt we all get to have our certs for free if you just want encryption support and don't need the extended validation. And lets encrypt does support the alt names.
I found an answer on Verisign here that stipulates that a single cert can not be used on multiple servers without having a special license, which answers my multiple question.
I'm assuming this means there's no issue using it on multiple sites as long as they are all on a single machine.
This might also be specific to the CA.
You can use a Unified Communications Certificate. It allow you to add multiple Subject Alternative Names on the certificate. You can install this certificate on multiple servers for multiple domain names. You could have one certificate for:
server1.blah.com
server2.blah.com
www.blah.com
www.notblah.com
They were originally introduced for use with Exchange 2007 and Communication Server, but can be used for other servers. More info from a ssl cert vendor:
Digicert uc ssl cert page
Entrust uc ssl cert page
There are also wildcard certs, but I know less about those, they may work for your purposes also.