Single SSL for multiple domains

4
votes

I have a single site in IIS with a blank host header and 50+ unqiue domains that all point to this one site. Is there a catch-all or wildcard SSL available that I can install on the site so it will work with each domain? I know wildcard certs exist but I think they're limited to a single TLD.

I was hoping to install multiple certs on a single site since each domain already has a cert purchased but that isn't going to happen.

I had a look at IIS 7 SSL for multiple sites with a single IP which points to http://www.sslshopper.com/article-ssl-host-headers-in-iis-7.html which says I need a unified communications certificate http://www.sslshopper.com/unified-communications-uc-ssl-certificates.html

Any ideas? Will the unified cert work?

IIS 7.5

2
iisssliis-7.5

2 Answers

5
votes

Wildcard SSL certs are for a single domain. For your situation you'd have to have a certificate that worked for every domain, which, err, wouldn't be that safe, you could, for example, spoof hotmail.com

However there is an attribute in X509 called Subject Alternative Name (SAN). That allows for a fixed list of domains for which the certificate may be used on, but the list is fixed at issuance time. Your link says it uses that method, but I'm confused why they say they're primarily for UC server, they work fine as plain old HTTPS certificates. I'm using one right now on a development box.

In case you think they're specialised Verisign do them too,as does Entrust

-1
votes

In principle, each server (meaning whatever program on the server side answers to the client's request) can send only one certificate. It also will send a chain of certificates up to the root certificate.

With plain SSL/TLS, the handshake is done before the client has a chance to indicate for which domain it wants a page (this is done in the HTTP header), thus you have no chance here to offer the right certificate.

A common solution is that the server has several IP-addresses (one for each domain, or at least one for each SSL-certificate), and thus can recognize by the IP address, which certificate should be used. (I don't know how IIS handles this, though.)

Assigning new IP-addresses gets more problematic with the increasing scarceness of IPv4 addresses, for this and other reasons RFC 6066 (and its predecessors) defines the server name TSL extension (extension-ID 0), which allows the client to include the wanted server name in the ClientHello message (which starts the handshake), allowing the server to select the right certificate for .

No serious certification agency will give you a wildcard certificate for *.com or similar, since with such a certificate you can pretend to be almost anyone. A certificate can list multiple domain names, but I have no idea if there is an upper limit in the number of those (both for IIS and the usual clients).