Can I use a trusted CA certificate on multiple sites?

certificate

Solution 1:

You can have a certificate on multiple machines. But unless the "site name" for all the machines is the same (eg a cluster of web servers all serving for one website) your users will get a mismatch error as the certificate wont match the server name they requested.

You can have a certificate on a single machine with multiple sites (eg virtual hosting) but you will have the same problem as above.

If you are serving multiple "sites" from a single server and want users web browsers and the like to be happy you will need multiple certificates and multiple IP addresses assigned to the host. This is because it is the connection that is certified and encrypted and this happens before the client tells you what site it is interested. This is the limitation of the current SSL protocol. This limitation is addressed in the latest protocol but not everything supports that yet.

Update Feb 2017:

Technology has moved on a fair bit since this question was asked, and I answered it. The SSL protocol has been improved with the addition of SNI allowing the browser to connect and request the domain before the certificate exchange. So you can now have more than one website served with SSL from a single server with a single IP address. SNI is almost universally supported by all browsers so you can be fairly confident that it your sites will be accessible to users. You can also combine multiple site names in to a single cert either with wildcards eg "*.stackexchange.com" and using "Certificate Subject Alt Names" which is what stackexchange is doing if you checkout the ssl cert on this site..

Stack Exchange Certificate Details

The even better news is that now we have letsencrypt we all get to have our certs for free if you just want encryption support and don't need the extended validation. And lets encrypt does support the alt names.

Solution 2:

I found an answer on Verisign here that stipulates that a single cert can not be used on multiple servers without having a special license, which answers my multiple question.

I'm assuming this means there's no issue using it on multiple sites as long as they are all on a single machine.

This might also be specific to the CA.

Solution 3:

You can use a Unified Communications Certificate. It allow you to add multiple Subject Alternative Names on the certificate. You can install this certificate on multiple servers for multiple domain names. You could have one certificate for:

server1.blah.com

server2.blah.com

www.blah.com

www.notblah.com

They were originally introduced for use with Exchange 2007 and Communication Server, but can be used for other servers. More info from a ssl cert vendor:

Digicert uc ssl cert page

Entrust uc ssl cert page

There are also wildcard certs, but I know less about those, they may work for your purposes also.

Related

how to merge two ext3 partitions on ubuntu from command line?
Can a Mac with OS X 10.5 (Leopard) authenticate with a Windows 2008 domain?
X11 forwarding from OSX to Linux
Good Windows event log analyzing/reporting tool?
What is SMS Agent Host?
Have I messed up buying the wrong SSL certificate for my domain?
Backup is not Archiving - But what requirements does archiving have?
remote command execution on Windows 2003 server
Timeout ssh sessions after inactivity?
Limit VMware Virtual Ethernet bandwidth
Why is the time messed up on my Ubuntu Server VPS?
Migrate user profiles to new Active Directory Accounts