There is an increasing need to deploy SSL sites (SPDY, HTTP/2, and SSL Everywhere). Traditional SSL sites require deploying one SSL certificate per site. This gets very expensive ordering and maintaining many SSL certificates. Consolidating SSL resources by utilizing wildcard and Subject Alternative Names (SAN) certificates reduces the maintenance and cost of deploying SSL sites.

SSL Review

A quick review on how SSL works. You type a name into your web browser (i.e. www.mycompany.example), the web browser connects and verifies that the certificate that is presented is signed by a trusted party and that the name matches the requested name. Should any of these checks fail, you get a nasty-gram from your browser. In the past this required a single SSL certificate per IP address, but Server Name Indication (SNI) makes it possible to attach multiple SSL certificates to a single IP address as long as the client supports SNI.

Traditional Cert

A traditional certificate only contains a single name.


Wildcard Certs

A wildcard cert replaces a single name with a wildcard character. Browsers will treat the “*” character as any valid name.


Subject Alternative Names

SAN cert are similar to a traditional SSL cert with the added bonus that you can provide a list of “alternative” names that are valid. For example a SAN cert could be limited to only the following names

What type of cert to use

These examples highlight my recommendations for what type of certificate to use. Sites that transact sensitive date (i.e. SSN or CCN) should have their own certificate. Sites that have a low level of security and a high number of names would benefit from a wildcard certificate. A middle ground would be a SAN certificate. When using SAN certs it is best to group together by organization or security classification.

How to consolidate services

The above should help in reducing the number of certificates that you have. If you want to further reduce the number of IP addresses that you’re using for your sites please read my companion article on Routing HTTP by request headers.  There's also another DevCentral article about SSL Profiles that you can learn more about SSL.