Wednesday, August 8, 2018

SSL certificate types


Speaking of SSL certificate types, usually we have two dimensions to categorize.

From validation dimension, there are three types of SSL certificate available today:
  1. Extended Validation (EV SSL)
  2. Organization Validated (OV SSL) 
  3. Domain Validated (DV SSL)
From domain name dimension, there are also three types of SSL certificate available today:
  1. Single-name (valid for only single domain)
  2. wildcard (valid for all subdomains)
  3. multi-name (valid for multiple domains/subdomains, called SAN or UC certificate)
You can have a wildcard cert *.domain.com which is valid for all subdomains.
You can have a single-name cert host.domain.com which is only valid for this host
You can have a multi-name cert host1.domain1.com, host2.domain2.com, this is called a SAN (Subject Alternative Name) Certificate. They are often called "UC-Certificate" as well.

For example:

When Wildcard SSL certificate is issued for *.domain.com, you can secure your unlimited number of sub domains over the main domain.

sub1.domain.com
sub2.domain.com
sub3.domain.com
sub*.domain.com

If the Wildcard SSL certificate is issued on *.sub1.domain.com, in that case you can secure all second level subdomains which are listed under the sub1.domain.com

aaa.sub1.domain.com
bbb.sub1.domain.com
ccc.sub1.domain.com
***.sub1.domain.com

If you want to secure limited number of different domains and second level domains, then you can choose multi domain SSL that can secure up to 100 domain names with a single certificate.

domain.com
sub1.domain.com
aaa.sub2.domain.com
domain2.net
domain3.org

Underneath


You may be wondering what the technical difference is between these types. It all comes down to the Subject Alternative Name (SAN) field that is embedded in the certificate when it’s issued.
When a certificate only has one SAN field and it contains a reference to a single website, then it’s a single-domain certificate.
If that one SAN field contains an asterisk in the website name (e.g. *.domain.com) then it’s a wildcard certificate.
If the certificate has many SAN fields, then it’s a multi-domain certificate. Multi-domain certificates sometimes have 100 or more SAN fields (with performance penalty), and some or all of these fields may contain wildcards, creating a hybrid “multi-domain wildcard” certificate.

Reference

https://serverfault.com/questions/104160/wildcard-ssl-certificate-for-second-level-subdomain
https://www.digicert.com/subject-alternative-name.htm
https://serverfault.com/questions/391311/how-many-domains-can-be-bound-with-one-ssl-certificate

1 comment:

  1. openssl s_client -connect www.google.com:443 -showcerts
    openssl s_client -host www.google.com -port 443

    ReplyDelete