SNI multiple domain ssl apache iis

1
votes

we need to host multiple site with different domains. for instance 

a.test.dk
b.test.dk
a.test.fi
b.test.fi

Now from what i know is that being either in apache or iis you would need 1 ip/host when using a domain ssl certificate, that means we would have to buy 4 certificate and 4 ip addresses to host them on

another option is to use wildcard certificates , if we buy a *.test.dk and a *.test.fi we can use 2 ip/addresses and 2 certificates to host the same amount of sites since our iis/apache can use sni.

But now my real question : there is also something called multiple domain ssl

will this be allowed to run all 4 sites under 1 ip-address?

because we are strugling with our use of external ip-addressess at this moment.

1
apacheiisssl

1 Answers

0
votes

Well you're confusing 2 different things. You're confusing wildcard certificates and SNI (Server Name Indication). They are definitely different solutions to similar problems.

Wildcard certs do not rely on header inspection to encrypt your traffic, you just point the DNS at the IP address you want and your request goes to whatever site you've configured in IIS.

SNI is different and is what you want. SNI inspects each HTTP request and figures out what IIS site you want based on the host headers. Before SNI existed you couldn't inspect headers in SSL requests because the headers were encrypted too.

With SNI, assuming you have certificates for each site (wildcard certs or single site certs, UCC certs, or some combination of those) you can use SNI to inspect each HTTP request and serve up the appropriate SSL cert and site. You can do this for as many websites as you'd like and share 1 IP:port combination across them all.

Here is a WikiPedia article that explains it in a little more detail:

http://en.wikipedia.org/wiki/Server_Name_Indication#Background_of_the_problem

Here is an article on how to configure it in IIS 8 and above:

https://www.digicert.com/ssl-certificate-installation-microsoft-iis-8.htm#multiple

In step 18 in those instructions is where you enable SNI.

Here is an article on how to configure it in Apache 2.2.12 and above:

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm