SSL, CNAME, and multiple domains

Say I have an SSL Certificate for a super cool site that I offer, like https://secure.coolsite.com/ (Not my site, just an example). Then lets say I had a customer who wanted to have a CNAME to my site on his server, like https://mycoolsite.his-site.com/ Would he need a regular SSL certificate on his end, would I need to have a second certificate on my end (And just "install" it on my webserver), or would I need a multi-domain SSL certificate, or he just has to list my site as an alias on his certificate?

Thanks!


Solution 1:

In order to utilize a CNAME pointing to the main IP address of your system, you'd need to be utilizing a subject alternative name certificate covering the client's DNS name.

Alternatively, you could use SNI and have multiple certificates on that IP address, but be warned that a significant percentage of client browsers in use today don't support SNI (specifically IE on Windows XP, about 40% of users) - those users would get certificate errors.

The other option is to have multiple IP addresses that your server's listening on, with different certificates - your clients would then use either a A record pointing to the IP that's assigned to them.

(or if you're using CNAMEs so that you control the target of the A record, then you can have them CNAME to something like client1.example.com, which has the A record for the IP assigned to that client.)

Solution 2:

The SSL-Certificate is served by the server with the content and is bound to a domain, so you'd need a certificate for these domains.