1

It's time to renew an SSL cert - but the website will soon be moving from a dedicated machine with a fixed IP to a cloud based host behind a load balancer.

When I renew or re-purchase my ssl cert do I make the decision about whether it should be an SNI / IP based SSL Cert at the point of purchase - or is a cert a cert and it's all about where and how it's installed?

I'm hoping the renewed cert can continue to be IP based for now, and in a few months when the website (and it's domain ofc) moves to the cloud I can re-use the cert in 'SNI mode'

Neil Thompson
  • 125
  • 1
  • 7

1 Answers1

10

Neither nor. It is done during configuration of the web server (which at least in windows is a different step than installing the certificate into the machine certificate store). The SSL cert does not play at all into the setup - any valid SSL cert for a given domain can handle both IP and SNI.

SNI is something that basically enters into the negotiation between the browser and the web server. If the Server supports SNI and the brower decides to send the relevant headers, the server can handle the connection appropriately.

kasperd
  • 30,455
  • 17
  • 76
  • 124
TomTom
  • 51,649
  • 7
  • 54
  • 136
  • 2
    awesome - you don't know how hard it's been finding such a clear answer. thx. – Neil Thompson Jun 07 '14 at 13:53
  • With SNI it is even possible for the load balancer to not have a certificate at all. The load balancer could dispatch the connection to a backend based on domain name, and only the backend need to have a certificate. Dispatching based on domain name is incompatible with DSR, so if the load balancer supports DSR you have to remember to turn that off. – kasperd Jun 07 '14 at 14:26