Does each subdomain need it's own SSL certificate?

Solution 1:

I'll answer this in two steps...

Do You Need an SSL Cert for Each Subdomain ?

Yes and No, it depends. Your standard SSL certificate will be for single domain, say www.domain.example. There are different types of certs you can aside from the standard single domain cert: wildcard and multi domain certs.

  • A wild card cert will be issued for something like *.domain.example and clients will treat this as valid for any domain that ends with domain.example, such as www.domain.example or ws.domain.example.

  • A multi domain cert is valid for a predefined list of domain names. It does this by using the Subject Alternative Name field of the cert. For example, you could tell an CA that you want a multi domain cert for domain.example and ws.mysite.example. This would allow it to be used for both domain names.

If neither of these options work for you, then you would need to have two different SSL certs.

Do I Need a Dedicated IP for Each Subdomain ?

Again, this is a yes and all depends on your web/application server. I am a Windows guy, so I will answer with IIS examples.

  • If you are running IIS7 or older, then you are forced to bind SSL certs to an IP and you can not have multiple certs assigned to a single IP. This causes you to need to have a different IP for each subdomain if you are using a dedicated SSL cert for each subdomain. If you are using a multi domain cert or a wildcard cert, then you can get away with the single IP as you only have one SSL cert to begin with.

  • If you are running IIS8 or later, then the same applies. However, IIS8+ includes support for something called Server Name Indication (SNI). SNI allows you to bind an SSL cert to a hostname, not to an IP. So the hostname (Server Name) that is used to make the request is used to indicate which SSL cert that IIS should use to for the request.

  • If you use a single IP, then you can configure websites to respond to requests for specific hostnames.

I know that Apache and Tomcat also have support for SNI, but I am not familiar them enough to know what versions support it.

Bottom Line

Depending on your application/web server and what type of SSL certs you are able to obtain will dictate your options.

Solution 2:

You can get a certificate for each subdomain, a multiple subdomain certificate or a wildcard certificate (for *.yoursite.example).

They typically cost quite a bit more than regular certificates though, and because you share a single certificate they are typically not the best option from a security point of view unless you host an anything.mydomain.example type of application where they are the only workable choice.

You also don't need multiple IP addresses if you have a SNI-capable web server. This said, SNI is only supported in modern browsers (IE6 and below won't work with it). Recent versions of Nginx and Apache support SNI transparently (just add SSL enabled virtual hosts).