multiple ssl certificates on a single ip address

© GlobalSign. A GMO Internet Inc group company.

Authentication. Security. Trust.

IPv4 Shortage Multiple SSL Certificates on a single IP address

Paul van Brouwershaven Business Development Director EMEA, GlobalSign

@vanbroup on Twitter

www.globalsign.com Authentication. Security. Trust.

INTERNATIONAL FOOTPRINT Customers spanning all industries

http://www.google.com/imgres?imgurl=http://upload.wikimedia.org/wikipedia/en/b/b6/GM,_logo.png&imgrefurl=http://planetidentity.org/&h=158&w=158&sz=4&tbnid=Siq1K5_NTEwtgM:&tbnh=97&tbnw=97&prev=/images?q=gm+logo&hl=ja&usg=__eGXzbuvbE5KAdiNERHYkYwT-TAQ=&ei=brsySufhE4P0MvSbjf8J&sa=X&oi=image_result&resnum=1&ct=image

http://images.google.com/imgres?imgurl=http://www.bruindentistry.org/images/ucla_logo.bmp&imgrefurl=http://www.bruindentistry.org/composites&usg=__1xsSJI05xwXkPcSRU_xuMSaHTvk=&h=296&w=854&sz=742&hl=ja&start=46&sig2=2nxu6L72SspD3uhh05cheg&um=1&tbnid=-Lx6dMM0kTbRyM:&tbnh=50&tbnw=145&prev=/images?q=ucla+logo&ndsp=18&hl=ja&lr=lang_ja&sa=N&start=36&um=1&ei=YrwySpK9B5eEmAeBtuGICg

http://images.google.co.jp/imgres?imgurl=http://niemannross.com/gottaAsk/templates/adobe/adobe_logo.jpg&imgrefurl=http://niemannross.com/gottaAsk/index.php?sid=27738&lang=en&usg=__xLi1TvWdC31pRJp1KZSPidciFYE=&h=500&w=398&sz=47&hl=ja&start=4&sig2=Ulz06GURxBPI-_QAClVN0g&um=1&tbnid=HwY2yCeT5tDpjM:&tbnh=130&tbnw=103&prev=/images?q=Adobe+logo&hl=ja&lr=lang_ja&rlz=1I7GGLL_ja&sa=X&um=1&ei=IJ06SuiOIqSmmQe_lpDsBA


GlobalSign Solutions | Visible Trust in an online world

Server, Database & Network Security

SSL Certificates Managed SSL

Developer Solutions Code Signing

Embedded SSL

Secure Email Digital IDs for Individuals Digital IDs for Departments Managed Digital IDs

eDocument /File Security & Compliance Adobe CDS for PDF Microsoft Office Encrypting File System (EFS)

Automated SSL for Web Hosts

SSL Reseller Program OneClickSSL

PKI & Root Signing Trusted Root for CAs


Innovation | We keep improving!


More demands and requirements for SSL

Article 17 of Directive 95/46/EC of the European Parliament Security of processing

Member States shall provide that the controller must implement appropriate technical and

organizational measures to protect personal data against accidental or unlawful destruction or

accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the

transmission of data over a network, and against all other unlawful forms of processing. Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.


Each SSL Certificate needs its own IP


We are running out of IPv4 addresses


How much time is left?


CA IPv6 Revocation Compatibility


As long as you select a CA who provides revocation checks (CRL, OCSP) over IPv6. But it won’t solve your IPv4 problem!

Can we use IPv6?


Why should my CA do revocation over IPv6?


Why do I need a dedicated IP address?


Request on a non-secure connection

Client

• HTTP Request: Can you please send me /contact.html on www.globalsign.com

Server

• HTTP Reply: Here is the content you requested.


Request on a secure connection

Client • (TLS Handshake) Hello, I support XYZ Encryption.

Server

• (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm.

Client • (TLS Handshake) Sounds good to me.

Client

• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com

Server • (Encrypted) HTTP Reply: Here is the content you requested.


Server Name Indication (SNI)

Client

• (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.globalsign.com'.

Server

• (TLS Handshake) Hi there, here is my public Certificate for www.globalsign.com, and lets use this encryption algorithm.

Client • (TLS Handshake) Sounds good to me.

Client

• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com

Server • (Encrypted) HTTP Reply: Here is the content you requested.


The SSL/TLS handshake


All versions of Internet Explorer on Windows XP Android 2.x default browser (other browsers like Opera

do support SNI on Android) BlackBerry Browser Windows Mobile up to 6.5

Applications with no SNI Support


Operating System Usage - Win XP: 24%


Internet Explorer has 30% market share


30% of 24% = 7.2% Internet Explorer Windows XP

of internet users do not support Server Name Indication (SNI)

Do you want to lose 10% of your visitors?


There is no problem when you need to secure a website or portal that is used by a closed community or business that has no Windows XP users. Provide SNI support for free with an SSL Certificate

− Users can decide to provide an unsecure connection and a warning to visitors with an outdated system.

Calculate an additional fee for users that want to have full compatibility and thus a dedicated IP number

Should I use/offer SNI for SSL sites?


Should I use/offer SNI for SSL sites?


What are the alternative solutions?


One SSL Certificate for multiple domain names from different organisations. The certificate contains the

hosting company’s details. Domain control is verified for

each domain.

CloudSSL: One certificate, multiple domains


No support for OV, EV One certificate shared by

many websites Many hostnames are

visible in the certificate Visitor needs to

download a bigger certificate (slower)

The disadvantages of CloudSSL


What if we could use the best of both worlds?

90% SNI

/ 10% CloudSSL


SNI combined with CloudSSL User requests website

Secure website delivered


With SNI support


Windows XP (has no SNI support)


No additional costs Sites can use all types of certificates (including EV)

Fully automated provisioning of the legacy CloudSSL

Certificate No email verification needed

All domain control checks performed automatically

by the program.

Two SSL Certificates for one site!


Completely Automated Process


Thank you

Paul van Brouwershaven [email protected]

mailto:[email protected]

mailto:[email protected]

multiple ssl certificates on a single ip address

Documents