connecting SSL to subdomain [closed]

落爺英雄遲暮 提交于 2019-12-21 03:14:07

问题


I have an SSL assigned to my main domain and I'm wondering if I can use the SSL to my sub-domain!! I frankly tried it out, but it shows warning page saying that this page is not safe or so on. Is there a solution to this so I can use the SSL on my sub-domain to let clients send their info on a secure connection.

The error message " This webpage is not available"


回答1:


X.509 certificates (often called "SSL Certificates") are usually only bound to a single domain, usually "mydomain.com", "www.mydomain.com" or "secure.mydomain.com". They cannot be used on any other domain name, even if it's a subdomain (so a certificate for "mydomain.com" cannot be used for "www.mydomain.com" and vice-versa).

There currently exist 2 other types of certificates which can be used to simultaneously secure multiple domain names simultaneously:

  • A relatively new type of certificate called an "SAN Certificate" - short for "Subject Alternative Name" - also sometimes called "Unified Communications Certificates" after a feature in Microsoft Exchange Server which requires this certificate type. These certificates declare a finite list of hostnames they can be used against.

  • Then there's wildcard certificates. Historically these were very expensive but recently we've seen a huge drop in price. With one of these certs you can secure "anysubdomain.mydomain.com" including the top-level "mydomain.com".

Without either of these SSL certificates you'll need to get an SSL cert for each domain name you want to secure.

Note that having a different certificate for each hostname/domain-name can cause problems because the TLS system establishes security for the channel before the HTTP Host: header is sent - this means that each secured website will need its own IP address or port number.

...unless you use SNI (Server Name Identification) certificates. The good news is that all modern browsers and servers support it SNI, so multiple secure websites can share IP addresses and port bindings with their own certificates (so without needing a single SAN certificate that lists all domains on it).

The bad news is that Internet Explorer on Windows XP cannot connect to SNI websites (but Chrome and Firefox are okay), and on the server-side you need at least Windows Server 2012 or later. So adopt SNI based on how popular IE+XP usage is.



来源:https://stackoverflow.com/questions/12423726/connecting-ssl-to-subdomain

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!