multiple ssl on one ip
TRANSCRIPT
Hosting multiple SSL Certificates on one IP address
More demand and requirements for SSL
• Google • HTTPS by default on all Google
services• HTTPS Everywhere initiativeLatest: • HTTPS used as a ranking signal• SSL users rewarded• Weight in algorithm set to increase
• PCI compliance• Facebook
We are running out of IPv4 addresses
How much time is left?
Can we use IPv6?
• As long as you select a CA who provides revocation checks (CRL, OCSP) over IPv6.
• But it won’t solve your IPv4 problem!
Why do I need a dedicated IP address for SSL?
Request on a non-secure connection
Client
• HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server
• HTTP Reply: Here is the content you requested.
Request on a secure connection
Client• (TLS Handshake) Hello, I support XYZ Encryption.
Server
• (TLS Handshake) Hi there, here is my public certificate, let’s use this encryption algorithm.
Client• (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server• (Encrypted) HTTP Reply: Here is the content you requested.
The solution: Server Name Indication
Server Name Indication (SNI)
Client
• (TLS Handshake) Hello, I support XYZ Encryption, and I am trying to connect to ’www.globalsign.com'.
Server
• (TLS Handshake) Hi there, here is my public Certificate for www.globalsign.com, and lets use this encryption algorithm.
Client• (TLS Handshake) Sounds good to me.
Client
• (Encrypted) HTTP Request: Can you please send me /contact.html on www.globalsign.com
Server• (Encrypted) HTTP Reply: Here is the content you requested.
Applications with no SNI Support
• All versions of Internet Explorer on Windows XP• Android 2.x default browser (other browsers like Opera do
support SNI on Android)• BlackBerry Browser• Windows Mobile up to 6.5
Should I use/offer SNI for SSL sites?
• Provide SNI support for free with an SSL Certificate: this will allow each of your customers to have their own individual certificates (with support for higher validation levels, including Extended Validation SSL)
• Combine SNI with a fall back multi domain certificate for users without SNI compatibility - CloudSSL
CloudSSL: One certificate, multiple domains
• One SSL Certificate for multiple domain names from different organisations.
• The certificate contains the hosting company’s details.
• Domain control is verified for each domain.
SNI combined with CloudSSL
With SNI support
Windows XP (has no SNI support)
Two SSL Certificates for one site!
• No additional costs
• Sites can use all types of certificates (including EV)
• Fully automated provisioning of the legacy CloudSSL Certificate
• No email verification needed
• All domain control checks performed automatically by the program
Learn morewww.globalsign.com