SNI Apache SSL Certificate

Question

For SNI Apache setup:

Is it okay to:
use one security certificate for all virtual hosts with aliases to the urls

and

Is there a difference between:
using one security certificate for all virtual hosts with aliases to the urls
and
using a security certificate per virtual host

One is SNI, the other is not. – Michael Hampton Nov 03 '16 at 21:03 — Michael Hampton, Nov 03 '16 at 21:03
@MichaelHampton cool. – agent provocateur Nov 04 '16 at 19:05 — agent provocateur, Nov 04 '16 at 19:05

score 1 · Accepted Answer · answered Feb 21 '17 at 19:54

You can technically have a certificate with completely different SANs, but I'm not sure how CAs will allow you to have it signed by them, for obvious authentication reasons. So having a certificate per virtual host is simpler (except that you have more stuff to monitor for renewals, and probably a higher cost, except that you have today solutions such as Let's Encrypt), it enables you to get rid of the following issues :

if you put all names inside the same certificate, as soon as you add a virtual host, you will need to regenerate the certificate to contain all the new set of names, and some browsers/extensions will complain, for security reasons, that the certificate changed in a strange way/time
you also kind of defeat the idea of having separate virtual host as you give every visitor of one website the list of all other websites on the same server (which you may be able to find in other ways too)

SNI Apache SSL Certificate

1 Answers1