tags:

views:

27

answers:

3
+2  Q: 

Different SSL-certificates for different parts of site

I have a site on example.com that loads all its static components from s.example.com (an amazon cloudfront distribution).

Now i would like to make some pages of example.com to use https so i thought i'd buy a ssl certificate for example.com, but since the pages loads images and other stuff from s.example.com the https will break since some components are not encrypted.

Is it possible to buy a second certificate for s.example.com? The reason i ask is because it's very much cheaper to buy two single-domain-certificates than to buy a wildcard cert.

A: 

You should be able to run a page with different https://domains with no alert from the browser as long as all the components inside the page are http or all https.

<img src="https://example.com/a.jpg"/&gt;
<img src="https://s.example.com/b.jpg"/&gt;

You'll have to keep the various certificates up to date.

ring0  2010-08-25 15:56:49
+1  A: 

The problem with various certificates for various (sub)domains is that you must have a dedicated IP for a domain. This is due to SSL design - first SSL connection is established and at this point the certificate is validated. The server doesn't know which certificate to present at this point. Only after successful handshake the HTTP request with domain name is sent.

So you have to buy a wildcard certificate, if you wish to cover both domains and they both sit on the same IP address.

Eugene Mayevski 'EldoS Corp  2010-08-25 16:09:38
+2  A: 

It depends on whether the two hosts are running on the same server and IP address (using virtual hosts) or not.

The easy way is to be able to host example.com and s.example.com on two distinct IP addresses (perhaps the same machine), in which case you can configure a different certificate for each.

If you're constrained to have a single IP address (and port) for the two names, if you want to use two distinct certificates, you would need to use the Server Name Indication (SNI) extension, which is relatively recent (and might not be supported by all browsers, but it seems to work with recent ones).

If you can't use SNI, you'd need the same certificate to be valid for both example.com and s.example.com at the same time, which may be achieved by putting the two DNS entries in the Subject Alternative Name extension, or perhaps by using a wildcard, if the pattern for the two hosts is suitable. These two options are probably more expensive than two distinct certificates, with commercial CAs.

After that, it's a matter of linking to the page content (img...) using https:// links, as @ring0 has already said.

Bruno  2010-08-25 16:17:22

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL