Wednesday, 22 September 2010

SAN Certificates – a great way to get more for your money

When it comes to SSL certificates, you have two choices, go for a standard SSL certificate for a single domain, or get a wildcard cert for *.yourdomain.com

I’ve always been a fan of wildcard certificates; I believe in the long run these are cheaper as a single certificate will cater for all of your SSL needs; however wildcard certificates come at a price.

When using IIS or ISA/TMG you have the ability to host multiple domains on a single IP address or Web listener using host headers, however this only applies to HTTP traffic. When using SSL only one SSL certificate can be applied to an IP address.

This causes a problem, do you apply lots of different IP addresses to your web server or ISA/TMG server and use a certificate for each domain, or do you buy a wildcard certificate.

In the environment I work in, we are able to get certificates for pennies, but this doesn’t cover wildcard certificates. This means its difficult to justify a wildcard certificate.

However, there is a way! You can create what is known as “Subject Alternative Name” certificates. This is just like a normal certificate, but it is valid for any other domain you specify.

For example, I could request a SAN cert for:

Webmail.yourdomain.com
Portal.yourdomain.com
Crm.yourdomain.com
Anythingelseyouwant.yourdomain.com


To request a SAN cert, open an mmc and add the certificates snap in to it (ensure you select local computer)

Expand Certificates | Personal | Certificates

Right click on certificates and select All Tasks | Advanced Operations | Create custom request

Click next on the first two prompts, then select the web server template and click next.

Click the details button to expand the web server certificate template, and then click properties.

Add the normal subject names such as Organisation and country. Then add as many common names (domains) as you like!



Follow the rest of the wizard until completion; you will then have a CSR to upload to your certificate provider. This certificate will be valid for all of the domains you specified. If you think far enough in the future and specify some domains you think you may need in the future, it will save even more money!

No comments:

Post a comment