[thelist] Quick SSL Cert Question

Ken Schaefer ken at adOpenStatic.com
Wed Jun 23 21:10:01 CDT 2004


You can not allocate an SSL cert to a "subdomain". "this.domain.com" must be
a host, same with "that.domain.com". The only exception (sort of), is
wildcard SSL certs that match any host within a domain (but again, you still
need a host(s)).

Now, an SSL certificate has the DNS name of the host in question embedded in
it. the client browser checks that the hostname of the URL being requested
matches that embedded in the certificate (this is part of the identity
verification checks that certificates give you).

BUT, the Host: HTTP header is encrypted when transmitted from client to
server, so the server can not use it to determine which website the request
should be routed to.

So, the browser must request a FQDN (this.domain.com) BUT the Host: HTTP
header can not be used by the server to determine which website the request
can be routed to. So, the only things that can be used are IP address, and
Port number.

So, for each host, you need to have a unique IP Address + TCP Port Number
combination (host headers not allowed).

IIS will happily let you install multiple SSL certs for different websites
provided that they have a different valid identity (Port Number + IP address


----- Original Message ----- 
From: "Rob Smith" <rob.smith at THERMON.com>
To: "Thelist (E-mail)" <thelist at lists.evolt.org>
Sent: Thursday, June 24, 2004 2:05 AM
Subject: [thelist] Quick SSL Cert Question

: Hey gang,
: I got a new web server and am setting it up right now. We have purchased
: SSL certs for the various sites we host. Currently all sites are governed
: host headers and all IP's are unassigned during this testing phase. The
: sites in question are subdomains (i.e. this.domain.com and that.domain.com
: According to the SSL cert rules, you must have only one cert per domain
: server.
: Fact: Host headers and SSL certs do not communicate. However, static IP's
: and SSL certs do.
: (Deep breath) I just need someone to confirm, with their experience of
: working with Multiple SSL certs on the same box on the same domain with
: different subdomains, that you Can have two certs on the same domain, but
: different subdomain's, which have different IP addresses.
: Currently since all sites are unassigned, IIS 5 is only allowing me to
: install one and only one SSL Cert. IF the sites were given different IP
: addresses, then IIS 5 would allow me to install different SSL certs on
: different subdomains.
: A Big Texas Thank you in advance!
: Rob Smith

More information about the thelist mailing list