4

We have a product (hosted PHP app) which we will be providing SSL certs to for people along with some hosting.

We are in full control of the hosting environment setting up the users vhost config, document root etc etc.

We are looking at multidomain certificates, which would allow us to bundle many of the domains into one certificate, this would end up saving the users quite a bit of money.

From what I understand though, when adding/removing a domain from a certificate the old one would need to be revoked and new one created - is that correct?

Any place other their have some sort of API for that?

This place here seems to mention their's is good for shared hosted along with dealing with single ips. Anyone had any experience?

http://www.comodo.com/business-security/digital-certificates/multi-domain-ssl.php

Wizzard
  • 342
  • 1
  • 4
  • 12
  • 1
    Keep in mind that Comodo has had some serious security problems recently. I would steer clear of these guys. A cracker was able to convince Comodo.com to provide bogus SSL certificates for google.com, yahoo.com, etc. (Potentially a huge problem), and they had a recent security breach. A quick Google search highlight's some of the recent problems: http://www.google.com/search?q=comodo+security+breach – Stefan Lasiewski May 29 '11 at 02:04

2 Answers2

1

I would not recommend going with a multi-domain cert (let alone buying them from Comodo based on their reseller's recent security history) because of the revocation and reissuing you would need to do whenever you signed on a new hosted customer. If you had 50 customers and signed on a new one, you would not want to impact those 50 customers simply because you were adding a new one nor would your systems administration staff want to modify 50+ site configs each time you signed up (or lost) a customer.

I think you'd be far better served by structuring your sites so that customer name is in the host portion of your domain. For example, customer1.yourdomainname.com, customer2.yourdomainname.com, etc.

You might want to consider a managed pki solution from one of the CAs because you have a lot more control over certificate management and maintenance.

If you do not want to invest in the managed pki route, perhaps a wildcard certificate would better serve. Certificate maintenance still gets removed from the customer provisioning process (unless your private key for your wildcard cert gets compromised, of course).

That being said, I am not sure if any of the CAs have an API but OpenSSL, NSS, GNU-TLS, and JSSE are APIs so a good portion of your certificate provisioning process could still be scripted and/or automated

mahnsc
  • 1,796
  • 13
  • 11
  • We are going to change the structure of the sites, it wasn't something we wanted to do which is why I asked the question, but it seems the sensible choice. Thanks. – Wizzard Jun 01 '11 at 11:06
1

You only need to revoke a certificate if you consider it compromised. If you just want to add or remove names then a new certificate can be issued without revoking the old one. The new certificate can be dropped in place of the old one and the webserver config reloaded, no need for massive reconfiguration effort or downtime.

What if anything to charge for issuing this new certificate is a buisness descision for the individual CA. Some may treat it as a "reissue" and do it for free, others may not.

Other than cost an advantage of having multiple domains on the same cert is that you can serve them from the same IP address without relying on SNI.

Since this question was posted "lets encrypt" has appeared on the scene. They seem like a pretty damn good fit for this application. They allow multiple domains on the same cert. Don't charge anything and are designed from the start for automation.

Peter Green
  • 4,211
  • 12
  • 30