SSL on Subdomain, Already on Domain

Solution 1:

Wildcard vs. MultiDomain vs. Standard SSL Certificates

Just a quick run down of SSL types and when I recommend using them.

Wildcard

Domain: *.domain.com (domain.com)

Can be used for any *.domain.com and depending on the vendor domain.com. In Apache, this can be used in any server or Vhost configuration block. To prevent errors, the domain being served must match the *.domain.com pattern.

I recommend this SSL certificate if you have many (>5) domains using *.domain.com. For example, we have mail.domain.com, wiki.domain.com, my.domain.com and others. We can secure all of these with 1 SSL certificate.

MultiDomain

Domain: domain.com, anotherdomain.com, someotherdomain.com

Some vendors provide multidomain SSL certificates. These can be used for multiple, unique domain names, e.g. www.domain.com, www.anotherdomain.com.

These are required if you are serving multiple-domains from the same Vhost and do not want SSL errors. For example, with Wordpress Multi-site, you would need to use one of these certificates.

These are also good if you need SSL support to do redirects. For example if you want to redirect: https://www.anotherdomain.com/ -> https://www.domain.com/ within the same Vhost configuration.

Lastly, these can simplify management if having dozens of domains. It is easier to keep track of a single cert than 50.

Standard SSL Certificates

Domain: www.domain.com (domain.com)

Good for a single domain. Some vendors may include www.domain.com and domain.com.

Recommended when a single domain requiring SSL is served from a Vhost or server.

Solution 2:

You should have a separate certificate if either of these points is true:

  • The sites are run on different servers - extra important because if one of the servers is compromised, so that the certificate can be stolen and used by someone else, the other site will still not be compromised. If they were to have the same certificate, getting one cracked would mean that the cracker could also impersonate the other site.
  • The sites are on different IPs on the same server (although here you could choose to have the same certificate, having different ones means that it will be easier if you ever decide to move them around)
  • The sites are accessed via different protocols (i.e. one is a web server, the other is e.g. a mail server)

You should have a common certificate (i.e. one with a Subject Alternative Name or with a wildcard name) if either of these points is true:

  • The sites are on the same server and IP and look exactly the same (e.g. if you want www.domain.com and domain.com to have exactly the same content and be accessed in the same way). In this case you don't need to have separate VirtualHosts for them; just make one of them a ServerAlias for the other.
  • The sites are on the same server and IP, and you are using NameVirtualHost to serve different content for each site. The reason why you still want to have only one common certificate can be found in this answer to an SSL question.