connecting SSL to subdomain [closed]

2020-06-07 07:51发布

问题:

I have an SSL assigned to my main domain and I'm wondering if I can use the SSL to my sub-domain!! I frankly tried it out, but it shows warning page saying that this page is not safe or so on. Is there a solution to this so I can use the SSL on my sub-domain to let clients send their info on a secure connection.

The error message " This webpage is not available"

回答1:

X.509 certificates (often called "SSL Certificates") are usually only bound to a single domain, usually "mydomain.com", "www.mydomain.com" or "secure.mydomain.com". They cannot be used on any other domain name, even if it's a subdomain (so a certificate for "mydomain.com" cannot be used for "www.mydomain.com" and vice-versa).

There currently exist 2 other types of certificates which can be used to simultaneously secure multiple domain names simultaneously:

  • A relatively new type of certificate called an "SAN Certificate" - short for "Subject Alternative Name" - also sometimes called "Unified Communications Certificates" after a feature in Microsoft Exchange Server which requires this certificate type. These certificates declare a finite list of hostnames they can be used against.

  • Then there's wildcard certificates. Historically these were very expensive but recently we've seen a huge drop in price. With one of these certs you can secure "anysubdomain.mydomain.com" including the top-level "mydomain.com".

Without either of these SSL certificates you'll need to get an SSL cert for each domain name you want to secure.

Note that having a different certificate for each hostname/domain-name can cause problems because the TLS system establishes security for the channel before the HTTP Host: header is sent - this means that each secured website will need its own IP address or port number.

...unless you use SNI (Server Name Identification) certificates. The good news is that all modern browsers and servers support it SNI, so multiple secure websites can share IP addresses and port bindings with their own certificates (so without needing a single SAN certificate that lists all domains on it).

The bad news is that Internet Explorer on Windows XP cannot connect to SNI websites (but Chrome and Firefox are okay), and on the server-side you need at least Windows Server 2012 or later. So adopt SNI based on how popular IE+XP usage is.