Multiple private SSL certificates on a single shared hosting plan? [closed]

hosting ssl web-hosting

Recently I contacted my shared hosting provider about setting up private SSL for a few of my sites. I have several sites hosted under the same plan (the plan allows for unlimited domains). However, I was told that since it is shared hosting and ultimately each site runs from the same IP address, I could install only a single certificate and secure only 1 of my sites (since each certificate requires a dedicated IP).

The other option they gave me was to use a shared certificate; this is unacceptable since the browser would generate a certificate warning. My question is: is this typical of shared hosting providers or could I find one that allows me multiple private certificates? I am currently developing several sites and would like to keep costs at a minimum which is why I am not yet upgrading to VPS or dedicated hosting. Thanks.


Solution 1:

The information provided to you by your shared hosting provider was indeed accurate.

SSL based traffic has to be bound to a single IP address so that the initial SSL handshake and encrypted connection can be established. This is all done before the web server is even presented with the requested URI. Because of this you can only have one certificate bound to each IP address. While you can have unlimited domains bound to a single IP address that precludes an SSL certificate installation.

Many shared providers will allow you to pay for an additional IP address on certain shared hosting plans to allow for SSL certificates to be utilized. You may find that your provider does in fact offer this, but it may be available only on another plan as this would be considered a more advanced service so might not be available with a more simple hosting plan.

Solution 2:

Edit: This question is from 2009, when the answer (below) was correct. If people run into this information now, it's more or less irrelevant:

The question is about SSL, and the limitation that you stated about SSL was and still is correct. However, everybody is using TLS now and Server Name Indication (SNI) is widely available, solving exactly this problem. Of course you can still continue to use wildcard certificates, but individual certificates for each TLS-host are possible as well.

This won't help the in the situation of the original 2009 question, but does update the answer to be more relevant at the time of the edit, 2015

Original answer from 2009:

The information about 1 https endpoint per IP is correct. The protocol is such that the encryption starts before client and server negotiate the URL, that would be required for VirtualHosts to enable SSL. The key/certificate would depend on the url - aka the host name - for setting up multiple certificates on one IP, but it's being used before the server knows which URL is about to be contacted.

I understand that the protocol is being worked on, but currently there's no solution to this issue - at least not generally available.

Update: If you get only 1 IP for yourself, you could make use of wildcard certificates. Basically they certify identity not for www.example.com but for *.example.com, so that you can have multiple hosts sharing the same IP without any warning generated in the browser.

Solution 3:

There are only two ways to have multiple domains secured that use the same IP. Either use different service ports for each cert (this option sucks) or find a CA that allows SubjectAltName within certificates.

With SubjectAltName you can define as many DNS entries per certificate as you like. Meaning one certificate will authenticate several domains. This is beyond wildcards as the domains don't have to have anything in common. As an example of this you can check out CAcert which allows this.

Solution 4:

That's no longer the case if using Apache 2.2.12 implementing SNI, a single address is no longer required per certificate. Hopefully we'll see more of this available to shared hosting now.

https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

Related

when to use an inline function in Kotlin?
How do I rename the android package name? [duplicate]
How to start jenkins on different port rather than 8080 using command prompt in Windows?
"405 method not allowed" in IIS7.5 for "PUT" method
Statistics: combinations in Python
Adding blur effect to background in swift
Git error: Encountered 7 file(s) that should have been pointers, but weren't
Hosting ASP.NET in IIS7 gives Access is denied?
Reason: no suitable image found [closed]
Cannot switch Python with pyenv
Find min / max value in Swift Array
Visual studio code cmd error: Cannot be loaded because running scripts is disabled on this system