Streamline your processes using one SSL certificate for multiple domains
One of the strengths of modern SSL/TLS certificates is the diversity of functionality afforded by the different certificate types. Regardless of how your network is structured, there’s an SSL certificate that can be tailored to that use case. There’s even one SSL certificate that can handle multiple domains (suddenly, a Lord of the Rings reference comes to mind about “One Ring to Rule Them All,” but in this case, it would be “One Cert for Multiple Domains”).
There was a time when you’d need to purchase individual SSL certificates for each domain and subdomain you were trying to secure. This was expensive, time-consuming, and created a litany of headaches by upping the ante on management. Not to mention some poor schmuck in IT had to install and manage them all…
Obviously, this approach was not ideal. This is why more certificate types have been added over the years to improve functionality and make managing them a bit more “business friendly.” Nowadays, if you want to secure multiple domains, you have options, including:
- Multi-Domain/UCC Certificates
- Wildcard Certificates
- Multi-Domain Wildcard Certificates
Each of these certificates have their own strengths and weaknesses. Let’s run through them really quickly.
Multi-Domain/UCC Certificates
Some people categorize multi-domain and UCC certificates differently. We put them together because they both essentially serve the same function: These certificates secure multiple domains with a single certificate. This goes back to the whole “one cert for multiple domains” concept).
Multi domain SSL certificates (also called SAN certificates) allow you to list up to 250 different domain names in the Subject Alternative Name (SAN) field of the certificate signing request (CSR). The certificate authority (CA) will perform domain control checks on all of the SANs that you’ve listed and issue the certificate. With multi-domain SSL, you can secure domains like:
- www.domain.com
- Domain.com
- Domain.net
- Mail.domain.com
- Domain.eu
Unified communications certificate (UCC) do the same thing, but they’ve been specifically designed to work with Microsoft Exchange and Office Communications servers, which are notoriously finicky. A UCC can secure up to 100 different domains.
It’s also worth noting that these HTTPS certificates for multiple domains work with shared hosting environments, websites don’t need unique IP addresses.
The one downside to multi-domain/UCC certificates is that you have to pay by the SAN. Most certificates come with two to four SANs packaged for free — each additional SAN costs you. Though a multi-domain/UCC is still less expensive than using single domain certificates, it’s worth noting the extra cost nevertheless.
Save Up to 38% on GeoTrust Multi-Domain/UCC SSL Certificates
Protect multiple domains with a GeoTrust Multi-Domain/UCC OV SSL Certificate.
Get a GeoTrust Multi-Domain OV SSL certificate, starting at $221.96/year
Wildcard SSL Certificates
A wildcard SSL certificate is ideal for websites that use subdomains, which is another common practice for enterprises. With a wildcard certificate, you place a wildcard character, an asterisk (*), at the subdomain level you’d like to secure. Once the certificate is issued, any subdomain on that level of the URL can be secured with the certificate. Even if you haven’t created it yet. Wildcard certificates are entirely futureproof — if you ever add a subdomain at any point during the validity period of the certificate, you can secure it.
If you list *.domain.com in your CSR, you can secure:
- Mail.domain.com
- Login.domain.com
- FTP.domain.com
There’s no cap, either. Technically, you can secure an unlimited number of subdomains on the designated level of the URL. For example, you could secure unlimited subdomains on the first level, or the second level, or the third level — but not all of them.
Not sure what we mean by first level- versus second- or third-level subdomains? This will help:
ThirdLevel.SecondLevel.FirstLevel.Domain.TLD
Wildcard Certificates Aren’t Perfect
There are a couple drawbacks to wildcards, though, that we need to mention. The biggest is that you can’t get an EV version of it. No, that’s not because we just don’t want to issue them, either. The wildcard character offers to much latitude for the Certificate Authority/Browser Forum (CA/B Forum) to feel comfortable giving it extended validation (EV) status. If you want the green bar on subdomains, you’ll need to use a multi-domain certificate.
Additionally, wildcards can only secure subdomains on a single level of the URL. If you want to secure second- or third-level subdomains, it can be done. However, it becomes cost-prohibitive, and you have to name specific subdomains at the preceding URL levels — which, again, gets expensive at scale.
Multi-Domain Wildcard Certificates
The most recent addition to the SSL/TLS product field is the multi-domain wildcard or wildcard SAN certificate. This combines the functionality of both multi-domain and wildcard certificates. You can use wildcard characters in the SAN fields, which gives you more flexibility. In fact, one of the most popular use cases for the multi-domain wildcard is as a multi-level wildcard.
Save 82% on GeoTrust OV Multi-Domain Wildcard SSL Certificates
Protect your domains and subdomains with a GeoTrust OV Multi-Domain Wildcard SSL Certificate.
Get a GeoTrust OV Multi-Domain Wildcard SSL certificate, starting at $334.08/year
Multi-Domain Wildcard Certificates Aren’t Perfect, Either
The same drawback applies to multi-domain wildcards as well: There is no EV version of this certificate. The CA/Browser Forum (CA/B Forum) prohibits EV wildcards from being issued entirely. As such, you’d need to pick another option if you wanted to leverage the green address bar.
How Encryption Works When Securing Multiple Domains
Anytime a client arrives at a website, the server begins the SSL handshake by sending a copy of its SSL certificate to the client. The client performs a series of checks on the certificate to authenticate it:
- Verifies the certificate’s validity;
- Checks its revocation status;
- Verifies signatures; and
- Follows the certificate chain and checks the listed host name against the one its at.
This process is the same whether it’s a single domain certificate or a full multi-domain certificate with 250 SANs. Each website secured by that certificate uses the same certificate — the client will work through each listed host name looking for a match. It’s not unlike a teacher taking attendance at the start of a class — just reading through a list of names and seeing who’s present.
Bueller? Bueller? Anyone? Bueller?
Encryption is the Same Regardless of the Type of SSL Certificate
Keep in mind, the level of security provided by an SSL certificate doesn’t vary by validation level or functionality. In fact, the certificate really just lists the supported parameters for an encrypted connection — the actual strength of the security is contingent upon the capabilities of the server and client.
So, find the certificate that fits you and don’t worry about whether you’ll be secure. Well, do worry about that — just don’t blame the certificate. It’s just the messenger in this arrangement – and as the saying goes, don’t shoot the messenger.