SSL certificates for domain without www
I currently have a SSL certificate which is registered for https://www.domain.com. I didn't register https://domain.com and I don't have money to do that.
Since the SSL exchange is done before the actual site is loaded, I can't simple put a redirect in .htacess without the client getting a SSL-warning. Is there anyway I can make sure that all https://domain.com are redirected to https://www.domain.com before the SSL exchange? Maybe something directly on the Apache server or something in the DNS?
Host name verification is a client-side mechanism (as described in the HTTPS specification, RFC 2818, Section 3.1). The client will check that the certificate is valid for the host name it has requested before any HTTP traffic happens (in particular, before any redirection). Apache redirections or DNS changes won't be of any use.
You simply need the web server to present a certificate that is valid for the requested host name.
Some certificates can be valid for multiple host names, by having multiple Subject Alternative Name (SAN) DNS entries, e.g. domain.com
and www.domain.com
. Some CAs do this by default, some do it for an extra fee.
(Wildcard certificates can also be used to handle multiple host names provided they follow the right pattern such as *.domain.com
. Unfortunately, domain.com
isn't matched by *.domain.com
because the dot is part of the pattern. Some wildcard certs will have both a SAN for domain.com
and *.domain.com
, in which case it's the SAN mechanism that will be used for domain.com
, nothing to do with the wildcard.)
You could also use Server Name Indication (SNI) and have an additional, different certificate on that host for domain.com
(next to the one for www.domain.com
). Unfortunately, it's not supported by certain clients (possibly old, but they still exist), and it would certainly be pointless, since most CAs issuing a cert for domain.com
would certainly include www.domain.com
automatically in another SAN anyway.
Either way, if you want to be able to serve https://domain.com
at all (even if it's just for a redirection), you'll have to get a new certificate valid for it (at least).