Securing multiple domains and sub-domains does not need different SSL certificates anymore. Wildcard SSL Certificates and SAN SSL Certificates can provide data encryption and security across multiple domains, sub-domains, and more using a single certificate.
In this article, we delve into what Wildcard SSL Certificates and SAN SSL Certificates are, their advantages and drawbacks, their differences, and which one to choose for effective security.
Wildcard SSL Certificates
Wildcard SSL Certificates (WC SSL Certificates) secure one primary domain marked with a wildcard character (*) and unlimited sub-domains at the same level of that primary domain. Whether you have 20 sub-domains or 2000 on a single level, you will be able to secure them all with a single WC certificate.
Let’s just take a moment to understand what levels mean with respect to sub-domains.
The primary domain for example website is marked with an asterisk symbol and it is *example.com.
The first-level sub-domains will be something like:
- example.com
- example.com
- example.com
- example.com
The second-level sub-domains will look something like this:
- mail.example.com
- shop.example.com
- blog.example.com
- dev.example.com
The third-level sub-domain will be something like primary.login.example.com…so on and so forth.
It is critical to note that a Wildcard SSL will secure multiple sub-domains that are at the same level, not multiple levels. So, if you own a WC SSL for *example.com, you are securing first-level sub-domains. If you add a new sub-domain — music.example.com or news.example.com, they will be automatically added to the certificate and secured.
However, second and third-level sub-domains will not be secured under this Wildcard SSL Certificate. You must purchase another WC SSL Certificate to secure sub-domains under, say, *shop.example.com or *mail.example.com.
Advantages
- Wildcard SSL Certificates are easier to manage as the domain, and its unlimited sub-domains are secured under a single certificate.
- It is a flexible solution as new sub-domains at the same level are automatically added to the certificate and instantly protected, as long as the certificate is within the validity period. The organization does not have to re-issue the certificate to add these new sub-domains.
- Similarly, sub-domains can be removed, whenever necessary, without having to re-issue the certificate.
- WC SSL Certs are cost-effective, versatile, and practical solutions to protect multiple sub-domains. You do not have to spend a lot on multiple certificates.
- The best Wildcard SSL also offers SAN (Subject Alternate Name) capabilities that enable organizations to secure additional domain names.
Drawbacks
- Wildcard SSL Certificates are available only at Domain Validation and Organization Validation levels of assurance.
- Extended Validation is not an option. For instance, if an attacker were to create a fraudulent sub-domain, it will automatically get added to the certificate without the need for verification or validation. The attacker may use this for phishing attacks against users.
- It does not secure sub-domains at multiple levels.
- If multiple parties are managing different sub-domains, it necessitates the sharing of private keys across these parties. This introduces risks of unauthorized access, data breaches, and other attacks.
- If one sub-domain is compromised, the chance of others being compromised is high.
SAN SSL Certificates
SAN SSL Certificates are also known as Multi-domain SSL Certificates and Unified Communication Certificates (UCC). SAN (Subject Alternate Name) SSL secures multiple Fully Qualified Domain Names (FQDNs) and sub-domains under a single SSL Certificate.
The primary domain is called the Common Name (CN) and the additional domains are referred to as SANs. The SANs can be other FQDNs, domains with other top-level domains (TLDs), sub-domains, or other variations.
With a SAN SSL Cert, an organization can protect, for instance,
- www.example.com
- example.com
- www.1example.org
- www.example2.net
- 2example.net
- example.co.uk
- blog.example.com
- anything.example1.org
- dev.example3.com
- mail.example.com
- mail.example.net
The owner of the certificate needs to clearly state the CN and all SANs they wish to secure under the multi-domain SSL Cert while making the Certificate Signing Request (CSR). If the organization wishes to add more SANs to the certificate later, the certificate has to be re-issued; these new SANs are not automatically added to the certificate.
Advantages
- SAN SSL offers all the levels of validations — Domain, Organizational and Extended Validation.
- Versatile SAN SSL Certificates enable organizations to secure web server hostnames, IP addresses, private hostnames, payment gateways, and firewall devices, among others.
- Depending upon the Certificate Authority and the plan chosen, you may be able to secure 50 to 250 additional SANs under a single SAN SSL Cert.
- It saves time and cost for organizations looking to secure multiple domains and sub-domains with a single certificate. Further, it is easier to manage.
Drawbacks
- If new sub-domains or domains are to be added to the certificate, the certificate is re-issued. This causes risks and downtimes for the website.
- If a private key is stolen or the certificate expires, it leaves all the domains and sub-domains open to attacks and data breaches.
Wildcard SSL Vs. SAN SSL Certificate — Which one to choose?
Despite their differences, SAN and Wildcard SSL Certificates offer similar encryption strengths (256 bits) and are compatible across most browsers and devices.
If you want to protect your root domain and its subdomains, it makes sense to go with Wildcard SSL Certificate. On the other hand, if you have multiple domains and want to extend your protection in that direction, then a SAN Certificate is the right option.
After considering your security requirements, don’t forget to choose the best SSL certificate providers, such as Entrust by Indusface for strong, multi-layered security across your multiple domains and sub-domains.
For more cybersecurity features and news, follow Indusface on LinkedIn, Twitter, and Facebook.
Originally published at https://www.indusface.com on November 25, 2021.