Tag Archives: server name indication

SNI Certificate in SSL/TLS: All You Need to Know

7 votes, average: 5.00 out of 57 votes, average: 5.00 out of 57 votes, average: 5.00 out of 57 votes, average: 5.00 out of 57 votes, average: 5.00 out of 5 (7 votes, average: 5.00 out of 5, rated)
Loading...

What is server name indication? Let’s explain what it means in layman’s terms

We know you’re here to learn all about what’s known as an SNI certificate (which is actually a reference to SSL/TLS certificates and their relationship with the server name indication protocol) — and we’ll get to that momentarily. But before we do that, let’s take a moment to imagine that you’re a web server. (We’re absolutely serious here, so close your eyes and try to be the best version of server that you can be.)

Now, a user enters a website that they want to visit and you, as you always do, try to connect shake hands with their web browser and facilitate HTTPS connection to the website that user has requested to access. As you’re trying to fetch the website details through IP address, you come across a big problem: You see six different websites hosted under a single IP address! You have no idea what to do. You’re left confused and scratching your metaphoric head, unsure of which site they want to access. That’s not a good sight for any web server, is it?

That’s where server name indication (and the so-called “SNI SSL certificate” that people come looking for) comes in to help you out.

So, What is Server Name Indication Or what is SNI in SSL??

SNI is an extension to the SSL/TLS protocol that allows multiple SSL/TLS certificates to be hosted on a single IP address. This is done by inserting an HTTP header (a virtual domain) in the SSL/TLS handshake. This process allows you (the web server) to see which website is requested by the client (the web browser) and you can pave the way for a secure connection to the right website.

Benefits of SNI for SSL/TLS

Before SNI, there was no way you could host multiple SSL/TLS certificates on a single IP. Therefore, you had to purchase separate IP address for every SSL/TLS website you wanted to host on your web server. This, of course, was a costly affair. But as there was no option at the time, people didn’t have a choice. As a consequence, IPV4 IP addresses — which were limited in their numbers (four billion) — started getting consumed rapidly. This posed a great danger of exhaustion of IPV4 addresses. The exhaustion was bound to happen, but the point was to make it slow so that people have enough time to migrate to IPV6.

That’s what SNI did. Now we have more than 340 undecillion unique IPV6 IP addresses — that’s 340 trillion, trillion trillion, or more than 340,282,366,920,938,000,000,000,000,000,000,000,000 — and they do seem to be just enough (for now). J

Isn’t SNI the Same as Multi-Domain (SAN) SSL?

From a distance, SNI and a multi-domain (SAN) SSL certificate might seem like the same thing, but there’s a huge difference between both — even if they help you achieve the same thing.

SNI, as we saw, allows you to host multiple SSL/TLS certificates for multiple websites under a single IP address. This means that each website will have its own SSL/TLS certificate. A multi-domain SSL certificate (SAN), on the other hand, allows you to secure multiple websites using a single SSL/TLS certificate under one IP address.

Therefore, it’s possible to use both SNI and SAN at the same time. If you want to secure multiple websites with a single SSL certificate, a SAN SSL certificate is the option for you. If you want to use a distinct SSL certificate for each different website, you need to implement SNI. Quite simple, isn’t it?

Save Up to 71% on SAN Certificates from RapidSSLonline!

Protect multiple domains with a single Multi Domain/SAN SSL Certificate from brands like GeoTrust, Symantec, and Thawte.

Shop SAN Certificates

Do Browsers Support SNI?

Yes, they love SNI for SSL certificates. When introduced, there was a big concern about scalability as there weren’t many browsers who could support SNI. But that time is long gone. In 2017, Akamai reported that almost 98% of the clients requesting HTTPS support SNI.

So, as you can see, there isn’t actually an “SNI certificate.” But now you understand how the SNI protocol works with SSL certificates.