Subdomains and SSL > How can I provide SSL on *.example.com and also at the root

Question

I know that you can provide SSL at any subdomain with a wildcard SSL cert, but how can you do that and also have SSL at the root (ie, when somebody just types https://example.com/ without the www)? Would I just install the wild card cert, and a second cert for handling root :443 requests? I can't use mod_rewrite because the browser won't get that far before alerting the user of the lack of an SSL.

score 3 · Accepted Answer · answered Mar 09 '10 at 13:10

3

One certificate with all the domains described in the 'X509v3 Subject Alternative Name' attribute may do the job. Most modern web browsers support this AFAIK, though I am not sure if the well-known commercial CAs do issue such certificates.

answered Mar 09 '10 at 13:10

Jacek Konieczny

3,777
2
23
22

2

http://wiki.cacert.org/VhostTaskForce – user1686 Mar 09 '10 at 21:41

score 2 · Answer 2 · answered Mar 09 '10 at 15:59

Many CAs (including Comodo, and DigiCert) will include the base domain name as a free SAN in their wildcard certificates: http://www.sslshopper.com/ssl-certificate-comparison.html?ids=26,13,45

So you could use the one wildcard certificate to secure domain.com and anything.domain.com. That way you don't get any errors, but you still might want to redirect them to www.

score 0 · Answer 3 · answered Mar 09 '10 at 12:43

0

You need 2 certificates for this to work I'm afraid.

answered Mar 09 '10 at 12:43

Joachim

41
3

AFAIK, you can only use 1 certificate per ip-address. – Ger Apeldoorn Mar 09 '10 at 13:09
vorik: "TLS Server Name Indication" – user1686 Mar 09 '10 at 21:40

score 0 · Answer 4 · edited Feb 04 '17 at 17:38

0

I'm using mod_rewrite for this purpose just fine, I redirect request from https://domain.com/application/ to https://www.domain.com/application/ using the following rules:

RewriteEngine On

# Use correct hostname
RewriteCond %{HTTP_HOST} ^example\.com$
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301, L]

So you'd just need one wildcard SSL certificate.

edited Feb 04 '17 at 17:38

Joel Coel

12,932
14
62
100

answered Mar 09 '10 at 13:39

Thijs Tijsma

241
2
14

@Matthias Vance How does that work. If the user reaches `https://mydomain.com` first, there browser will try to connect via SSL and fail before a redirect can be issued, right? – orokusaki Mar 10 '10 at 03:22
I tested this on one of our systems, but that happens to have a root and "www." certificate. So, the test is flawed, but I think it's still worth trying out out, because the SSL certificate will get sent, no matter what hostname you use (over SSL). So the browser should get the redirect just fine. – Thijs Tijsma Mar 10 '10 at 07:23

Subdomains and SSL > How can I provide SSL on *.example.com and also at the root

4 Answers4