4

We have dozens of thousands of domains which we host. We want to provide SSL/TLS for all of them, on a single I.P. Apparently, SNI allows us to do this. However, this suggests having literally dozens of thousands of certificates at our SSL termination server.

Are there any "natural" or "artificial" limitations on the number of certificates that may be installed on an SNI server?

  • A "Natural" limitation is imposed by nature, such as the performance of searching a cert from a list of thousands
  • An "Artificial" limitation is imposed by human rules, such as software that would prevent us from installing too many certs, perhaps some rule in the SNI protocol.

.... Or any other problems you can come up with?

I believe we can divide the number of certs necessary by ~100 by bundling them into SAN certs, but for the purposes of this question, please assume that's either not possible, or has already been done and we still have dozens of thousands of certs to serve.

What are the limitations? Do you think this is possible?

lance.dolan
  • 3,493
  • 27
  • 36
  • Do you have a plan for the resources that will actually do the SSL termination? For example, were you going to have multiple servers load-balanced behind that single IP, or just a single server? A single server may not be able to perform all the work. Also, even if you have multiple servers, your load balancer may be a single point of failure. Heroku for example has a large number of customers using SNI-based SSL, in order that multiple customers can share one IP address, reducing costs. Heroku uses DNS-based load balancing in order to accomplish this. – Gabe Kopley Mar 10 '17 at 00:12
  • @GabeKopley: We have an enterprise quality solution involving CDN feeding to Elastic Load Balancer, feeding to N number of app servers, all scaling on demand. We don't have a single point of failure and performance isn't a problem currently as we serve thousands of domains. Now it's time to encrypt all that traffic. – lance.dolan Mar 10 '17 at 00:26
  • (I'm not an expert on ELB). If you're not constrained by ELB SNI configuration, I guess it must be an L4 ELB, and you have termination servers behind it, and you're wondering, if you put all the certs on all the termination servers, what the max number of certs might be? – Gabe Kopley Mar 10 '17 at 00:31

1 Answers1

0

Purely for posterity since I received no answer submissions:

We're now in production with hundreds of certs by compressing domains into 100 per SAN cert. While we haven't tested dozens of thousands of certs yet, it appears that there are no artificial limitations as I described above. I would assume there are only natural limitations. I assume performance will scale inversely with number of certs to serve. To what degree that performance might change is still unknown to me entirely, and is surely dependent on hardware and architecture.

lance.dolan
  • 3,493
  • 27
  • 36