There are two types of Multi use SSL certificates available today and they are explained here:
Wildcard Certificates – Wildcard certificates are widely used to secure multiple subdomains under a single unique fully qualified domain name. The benefit with this certificate is that that it not only makes it simple to manage the certificate, but it also helps you in lowering your administrative costs. It provides immediate protection to your current and future subdomains.
- Wildcard certificates help you in managing the certificate easily because one certificate is enough for all present and future subdomains. This in turn also reduces your administrative cost as you do not have to buy new SSL certificates often.
- Wildcard certificates are no different than normal SSL certificates, which support the wildcard character ‘*’ added as a prefix to the fully qualified domain names. This is how it is enabled to secure multiple services. With wildcard certificates there are no specific service names involved, instead they always contain a wildcard character as a prefix to the domain name.
- It is always advisable and preferable to use a wildcard certificate, which is so much more flexible than a single purpose certificate and it can be applied to a number of different services. Additionally, you can also make changes like adding or replacing the services without updating or buying a new certificate.
Here is an example to understand how wildcard certificates work – for domain name exmpl.com you buy a wildcard certificate, then that certificate will also work for www.exmpl.com, xyz.exmpl.com and any other subdomain. Wildcard certificate refers to the fact that it is provisioned for *.exmpl.com
SAN Certificates – A SAN certificate is used to protect multiple domain names with a single certificate. They are different than wildcard certificates in a way that they can support an unlimited number of subdomains as long as the domain names are the same. SAN certificates only support fully qualified domain names which are entered in the certificate. SAN certificates are impressive because they can support more than 100 different fully qualified domain names in a single certificate; this however, depends upon the issuing certificate authority.
- SAN certificates or Subject Alternate Name certificates are also known as Unified Communications Certificates as they are primarily structured to support real-time communications.
- SAN or UCC certificates are most useful to businesses or organizations that are looking to use different root or domain names to perform internet facing services. For example, if there is an organization which uses two domains, internal domain – abc.exmpl.net and external domain – abc.exmpl.com then only a SAN certificate will provide security to the unified communication of both these fully qualified domain names. While if the organization goes for a wildcard certification then it will need two wildcard certificates for .net and .com as they are two different domains.
- Application service providers (ASP), who host applications for different clients with each client using its own unique domain name, can benefit a lot by using SAN certificates. If ASPs use SAN certificates they can use a single certificate to provide security services to multiple clients. Here, it is important to note that the site seal and certificate provide security only to the primary domain names entered in the certificates and not to any other domain names. The certificate only includes the domain names which were verified at the time of purchase.
Limitations of the multi domain certificates:
While on one side the multi domain certificates are highly useful and cost effective, there are a few limitations involved as explained here.
- SAN certificates are not compatible with wildcard certificates. If you buy a SAN certificate then each of your subdomains must be registered as a unique domain name entry in the certificate at the time of purchase. And every time you decide to add or remove a domain name you will have to update or re-deploy the certificate to each host server.
- When ASPs host websites for multiple clients, they should be aware that all domain names are there in the SAN certificate. And if the ASP decides that it does not want one site to appear linked with another site then it has to use a different kind of certificate.
Which certificate is best for you?
Basically the multi use certificates are used to secure multiple web services using one certificate. To achieve this, the certificates either add an alternate name to common single certificate or use a wildcard to replace the subdomain or prefix name in the certificate.
If the organization uses one public domain and one private domain name to separate the internal and external name spaces, then SAN Certificate is their best bet.
And for the organizations that uses one and only one public domain name, the Wildcard SSL Certificate will be the best option.