View All Products
Compute
Storage
Networking
Databases
Services
Developer Tools
Industries
Pricing
Community
Engage With Us
Community Questions Setting up SSL for subdomains, IP address how do
Log in to Ask a Question

Setting up SSL for subdomains, IP address how do

general

So I have one domain with multiple subdomains, which I want to be able to serve through HTTPS. The domains are:

kickassapp.com

www.kickassapp.com (only redirects to kickassapp.com)

hi.kickassapp.com

Now, I'm not certain how it SSL certificates and signing agents work with www. and no-www domains. The one I'm thinking about buying is:

~~[http://www.namecheap.com/ssl-certificates/geotrust-ssl-certificates/rapidssl-certificate.aspx" target="_blank">](http://www.namecheap.com/ssl-certificat … icate.aspx">http://www.namecheap.com/ssl-certificates/geotrust-ssl-certificates/rapidssl-certificate.aspx](

From what I have understood I will need two certificates, one for kickassapp.com and one for hi.kickassapp.com, if I don't want to go for the wildcard version which costs 10x as much.

But I have also read that you need a dedicated IP. I don't know if it's per domain or just per webserver?

> You also need to have a dedicated IP address (can be ordered at your web host) and a CSR generated on your web server for the domain name.

Does this mean I need two dedicated IPs, one for kickassapp.com and one for hi.kickassapp.com? I'm not really sure how this relates to what linode offers. I assume that the IP I have assigned is dedicated? Will I need to request a new IP for hi.kickassapp.com? This seems a but overkill for what I'm doing.

I'd love to be sure of what I'm doing before paying for anything…

1 Reply

If you use one certificate, it will have to be valid for any hostname you want to use with it. In this case, kickassapp.com, www.kickassapp.com, and hi.kickassapp.com. Some certificate authorities will do this in one certificate, using the Certificate Subject Alternative Name field.

You might be able to optimize this a bit if you use just one hostname for SSL traffic. Most folks aren't going to do https://hi.kickassapp.com/; rather, they're going to go to hi.kickassapp.com and then you're going to redirect to https. What I would do is get a certificate for kickassapp.com (and www.kickassapp.com, if they'll throw it in for free), and redirect hi.kickassapp.com to https://kickassapp.com/hi/. This will throw a cert error if someone goes to https://hi.kickassapp.com/, but it is usually an obvious and self-explanatory error.

Multiple certificates are also a possibility. It is no longer the case that you must have a separate IP address for each SSL certificate (see here for why). BUT! – and this is a big but, I cannot lie -- it is not supported by all browsers/operating systems yet. Notably, Windows XP and Android 2.x lack support for it.

To summarize: SSL is a mess, certificates are a mess, IPv4 is a mess, Windows XP is a mess, and you'll probably want to present one certificate per IP/port, and that certificate better recognize the hostname the browser is connecting to. Or adopt a "IPv6, SNI, or GTFO" policy and tell XP users without IPv6 to get with the program :-)

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Log in to Reply
Community Code of Conduct