Do I really need 2 SSL certifications to redirect a naked domain to www?

3
votes

I have a website, which I only want to be used with the https://www-prefix. I have to 2 url-redirects configured in my web.config (asp.net MVC on Azure websites), one from http to https, and one from naked domain to www.domain.

I initially bought an SSL certificate for my www.domain.com only, but then when someone would enter the naked domain, he would get a browser warning/block before the redirect could even happen. Eventually I bought a 2nd SSL cert. for my naked domain as well and it all works now, but I can't help wonder, do I really need to buy 2 certificates for this scenario?

1
asp.net-mvciissslssl-certificateazure-web-app-service

1 Answers

6
votes

Yes, you really need a certificate valid for the two domains if you want to be able to redirect users who manually enter the naked domain with the https protocol.

It can be two certificate, but it can be one certificate containing the two domains. Most SSL vendors include for free the naked domain.

(And, there is Let's encrypt that can give you certificate for free.)

Furthermore, having a certificate for the naked domain allow you to use HSTS including sub-domains, which can protect all your sub-domains against SSL strip.