0

For SNI Apache setup:

Is it okay to:
use one security certificate for all virtual hosts with aliases to the urls

and

Is there a difference between:
using one security certificate for all virtual hosts with aliases to the urls
and
using a security certificate per virtual host

Improve this question
2
  • 1
    One is SNI, the other is not. Commented Nov 3, 2016 at 21:03
  • @MichaelHampton cool. Commented Nov 4, 2016 at 19:05

1 Answer 1

Reset to default
1

You can technically have a certificate with completely different SANs, but I'm not sure how CAs will allow you to have it signed by them, for obvious authentication reasons. So having a certificate per virtual host is simpler (except that you have more stuff to monitor for renewals, and probably a higher cost, except that you have today solutions such as Let's Encrypt), it enables you to get rid of the following issues :

  1. if you put all names inside the same certificate, as soon as you add a virtual host, you will need to regenerate the certificate to contain all the new set of names, and some browsers/extensions will complain, for security reasons, that the certificate changed in a strange way/time
  2. you also kind of defeat the idea of having separate virtual host as you give every visitor of one website the list of all other websites on the same server (which you may be able to find in other ways too)
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.