7

so, I'm was discussing with a friend about SaaS websites and SSL certificates and neither of us could explain how do a E-commerce or any service that would allow a costumer to have their own domains would have SSL enabled services.

I've searched about UCC and Wildcard Certificates , but neither seem to fit the needs because in the case of a UC Certificate you would need to have a list of domains already made (which is not the case in the SaaS model) and in the case of a Wildcard Certificate you would necessarily need to make each client a subdomain and many services provide the option to use your own domain.

So how do SaaS services provide SSL for the people with "personalized" domains?

Jonathan DS
  • 173
  • 1
  • 5
  • Have you considered the simple solution? They just have a big block of IP address space and allocate one IP per client. It is difficult to get lots of addresses now, but it was easier in the past. – Zoredache Jul 26 '12 at 19:25

2 Answers2

5

The above answer might be a bit dated. Modern SaaS applications that want to serve SSL for multiple customer domains will use SNI. SNI is "Server Name Indication" (RFC 6066; obsoleted RFC 4366, RFC 3546) is an extension to Transport Layer Security which allows the client to tell the server the name of the host it is trying to reach.

This is much more efficient than older ways of handling this, like UCC or even worse, 1 IP per certificate. This is also why traditionally, getting custom domains secured would be a cost that gets passed to the customer. It was and is fairly common to see the platform charging $X/mo for custom domains as an additional feature. That's because of the costs involved in running custom domains.

If you're looking to develop something like this today, you'd start out with SNI and serve certificates that way. Depending on your stack, this can be really easy to do (NodeJS) or really hard (traditional apache/nginx based app-proxies). Usually the difficulty is taking in the incoming SNI request and matching it up with your database or other application logic to make sure you're serving the correct cert for that request.

As mentioned, you might be in luck if you're using Node. There are some great libraries that help with this if you want to serve certificates provided by Let's Encrypt and you want to dynamically provide a certificate based on data in the incoming request. For example https://git.coolaj86.com/coolaj86/greenlock.js is a library that helps you with some of this.

Lastly, if you're looking for a third party solution, there's https://clearalias.com, which basically allows you to bypass the difficulties of serving SNI SSL certificates by offering it as a service if you're not particularly keen on managing and maintaining your own SNI layer.

Community
  • 1
Lu Wang
  • 66
  • 1
  • 2
3

They typically use UCC SSL Certificates, which allows them to secure multiple domain names through the use of Subject Alternative Names. You can reissue a certificate with an updated list of domains it secures, so you're not just limited to the domains you secure when you first create the certificate.

Some providers have products specifically marketed for this, like Globalsign: https://www.globalsign.com/cloud/ which is used by Cloudflare.

As a provider, you could pretty much just create one SSL certificate for each customer you have with the domains and subdomains they need secured and reissue it if the client has removed a certain domain from their account. As an SaaS provider, you typically control the setup of the SSL certificates as well, so pretty much everything can be automated.

gekkz
  • 4,229
  • 2
  • 20
  • 19