Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

SSL-related question

Created: 23 Jan 2014 • Updated: 29 May 2014 | 3 comments
This issue has been solved. See solution.

Hi there, 

First of all, I hope I am placing the question in the right area of the forum - my question is related to SSL which I believe goes under authentication services. If not, please let me know where I sholuld post my question instead. 

I have a specific question related to SSLs. We have purchased two sets of certificates for the same subdomains (we realized halfway through the project that we would eventually need to set up redundancy and at that point re-purchasing a new SSL for the same subdomains was the only solution). 

The two versions of the website we have are completely different technical profiles. 

Because of database technical issues with one of the websites, we realized that redundancy may not be a viable solution or a priority at the moment. Basically, the first website is not able to synchronize its database real-time so it would provide information that is 3 hours to 1 day behind. But it would be faster. The second website has up to date information but is much slower due to older and less optimized database. 

In order to provide best of both worlds and prevent for so much work effort to go unused, we would like to allow users access to both websites as something like "data up to current day" and "data up to previous day".

Having purchased 2 SSL for the same subdomains, we are not sure we would be able to have them point to 2 different IPs at the same time.

What can we do?

Maya 

Operating Systems:

Comments 3 CommentsJump to latest comment

DomSYMC's picture

Hi Emtas,

Certificates are never issued to IP address only by host names. You can have mulitple IP or switch IPs whenever you like and it wont harm the certificate. what matters is that the host name session /DNS (common name) that is issued to the certificate.

If you cant have multiple IPs for the same host domain then you could probably use different ports behind the one IP, forward the older database through a link through a different port perhaps. How you perform this on your paticular system and network however to configure it for your paticular network will vary.

SOLUTION
emtas's picture

Hi DomSYMC

Thank you so much. I am non technical user, and want to make sure I have the right terminology.

Is host name the same as domain name (in our case we are using an SSL bought for subdomains such as client.secure.invoicepayment.ca)?

When you say " what matters is that the host name session /DNS (common name) that is issued to the certificate." do you mean as you switch IPs, you have to make sure that the they use the same host name session? In our case, if I want to have a link to the old website and a link to the new website, I need to be using two different host names, I suppose. Because having the same subdomain point to two different IPSs through DNS is an either-or solution...cannot publish the same subdomain to two different IPs and have both live, of course sounds ridiculous!

It seems to me we could resolve this by repurchasing (not again!) new sertificates for slightly different host names e.g. client1.secure.invoicepayment.ca and problem solved. The challenge is how to work with SSLs that are purchased for the same subdomains.

Even one more takeaway I am getting from you, we might have not even needed to do that second purchase because the same subdomains would have the multiple IPs in the DNS - this should work because it is an either-or solution, if one is down, the other one goes up...unlike the current venture which we want to have both available as options that the users would pick between.

Maya

DomSYMC's picture

The terminology of "Host Name" usually referes to the entire domain in this case "client.secure.invoicepayment.ca", when people use the terminology of "Domain Names" in this case it would be "invoicepayment.ca"

When you say " what matters is that the host name session /DNS (common name) that is issued to the certificate." do you mean as you switch IPs, you have to make sure that the they use the same host name session? Answer: Yes

Remember all a SSL certificate is in reality is a Notary. It says that this Keypair is valid by industry standards and is valid for the host name it was enrolled in for by this company. As long as the host name of the website or application is referenced in the certificate, then everything will be golden.