Why ever purchase a wildcard SSL certificate?
2014-04
CaptSaltyJack
I was looking at wildcard SSL certs recently, and the lowest price on Namecheap is $94/year. Now, a regular single domain SSL cert from them starts at $9/year. My question is this: why wouldn't I just pay, for example, $27/year for a domain and two subdomains, rather than a whopping $94/year? The only thing I can think of is that with the wildcard cert, you skip the hassle of reissuing each individual domain cert.
Any other reasons I'm missing?
Paul
You are missing the scenario where someone may require more than 9 domains/subdomains.
Also, it is common to require a unique IP address per SSL certificate. While SNI (the protocol that allows multiple certificates to be issued from a single IP) is supported in most web servers, it is not always available.
If it is not available, then you have to host each subdomain at a unique IP address. As IP addresses are often at a premium, a wildcard cert may be a better option.
Ruben Vermeersch
Heroku offers the option to use Hostname based SSL. Apparently this is a solution which they use to offer multiple SSL hostnames on the same IP address, without using SNI (which doesn't work on Windows XP).
From the website:
Hostname based SSL works with all browsers. Use it when you will be accessing you site via SSL on a subdomain such as www.myapp.com, secure.myapp.com or *.myapp.com. Hostname based SSL will not work with root domains as it relies on CNAME aliasing of your custom domain names. CNAME aliasing of root domains is an RFC violation.
So how exactly does this work? Does it mean that they request you to add a CNAME alias to your domain and then issue a certificate for the CNAME (e.g. www.mydomain.com -> secure.heroku.com, upon visiting www.mydomain.com, a certificate for secure.heroku.com is presented). Does such a thing work? If it does not do that, then what does it do?
Jason Green
We have done a writeup on how to do this here:
http://blog.dynamic50.com/2011/02/15/ssl-on-wildcard-domains-on-heroku-using-godaddy/