Home / server / Questions / 165196
Accepted
solsol
Asked: 2010-07-30 00:59:23 +0800 CST

UCC or WildCard SSL?

  • 772

We want to secure the following domains on a single server (1IP) with multiple virtual hosts:

secure.ourapp.com (VHOST1)
www.ourapp.com/login (VHOST2)
www.ourapp.com/signup (VHOST2)

After reading a lot on serverfault and online I found that we have 2 choices to roll with.

At GoDaddy I found the following two choices:

Single Domain with Unlimited Subdomains (Wildcard): €153.87
Multiple Domains (UCC): €69.23

Can anyone advice us on what certificate will be the most appropriate? We are looking for a solution that's easy to maintain/implement and that secures the above URL setup on a single server.

Browser compatibility is important to us. IE6 should also be secured with SSL.

apache-2.2 ssl godaddy ssl-certificate

5 Answers

  1. Best Answer

    With one IP, you are going to have limited support regardless. SNI, which allows VirtualHost with SSL, is only supported in modern browsers.

    SNI Compatibility

    • Firefox 2 and up.
    • Opera 8 and up.
    • IE 7 and up. (Vista and up)

    If you want consistent IE compatibility for your SSL connection without errors, you will need to have multiple IPs.

    If you are positive that you are going to stick with the list of hostnames you identified for at least a year, I would go with UCC because it is cheaper. If you anticipate a need to throw up a bunch more SSL vhosts later on hostnames under the same domain, the ROI is with the wildcard cert as you would not have to buy a new certificate.

    Both UCC and wildcard will be implemented the same way and maintenance will not be variable.

    • 2

  2. If you've only got a single IP address and are using VHOSTs, then I'd go for the wildcard certificate as Apache only allows one cert per static IP. There's a walkthrough on how to set Apache up this way here

    • 1

  3. I recommend you Wildcard SSL Certificate to secure your domain plus sub domain.

    • 1

  4. I don't know why people talk about SNI and multiple IP's here. A wildcard certificate is ONE certifikate and an UCC/SAN certificate is also ONE single certificate. So no SNI or IP based VHOST setup is needed here. Go for the wildcard certificate if you think there will be more SSL subdomains in the future.

    The cheapest way would be a rewrite rule like:

    <Location /login>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/login [R]
</Location>

<Location /signup>
    RewriteEngine on
    RewriteCond %{HTTPS} off
    RewriteRule ^(.*)$ https://%{HTTP_HOST}/signup [R]
</Location>

    and recode the application to allow these URLs running on the SSL Directive. So you would only need one simple SSL certificate.

    • 1

  5. You do not need multiple IP addresses and you do not need to use SNI (which isn't fully supported yet). The best (and cheapest) option for your site is to use a wildcard or a UCC certificate. The UCC certificate will be your cheapest option if you only need to secure 2 hostnames (secure.ourapp.com and www.ourapp.com). Once you've installed certificate, you will need to enable it for both VirtualHosts using the info at the bottom of this page: http://www.sslshopper.com/article-how-to-configure-ssl-host-headers-in-iis-6.html

    You don't need to worry about browser compatibility. As long as you buy from a trusted provider like GoDaddy, all the certificates will be compatible.

    • 0