Do I need a dedicated IP for the certificate

Maybe technology has passed by my current knowledge, but I was under the impression that a domain needed its own IP to be able to have it’s certificate. That’s why only one of my domains on my VPS that comes with two IPs has a certificate: one IP for that SSL domain and the other IP for all the other domains.
Is this not true anymore, could all my domains get a certificate even though they share one IP?

1 Like

No. DV certificates are not tied to an IP address.

Yes, provided your VPS’s SSL library supports server name indication (SNI), which all modern libraries do, there is no longer a need for a dedicated IP for each certificate. In the “old days” all of the request headers that identified the requested host name were encrypted, so having the connection come in on a dedicated IP was the only way to connect the request with the proper virtual host on the server and properly decrypt it. SNI allows the host name to be sent unencrypted, enabling the server to properly match the virtual host without needing to be able to decrypt the request first.

SNI has been around for a while, but adoption was somewhat slow on some client platforms, so it was difficult to rely on SNI until recently. Specifically, IE (any version) on Windows XP did not support it, nor did Android versions before Honeycomb or ICS.

3 Likes

SSL certificates do not require a dedicated IP address. However, that is half the equation. The other end is you need to figure out your intended SSL enabled site’s visitor traffic profile to see whether or not your visitor’s web browser and OS support SNI - which allows SSL certificates to share a single IP.

WinXP doesn’t support SNI. You can check global browser SNI support via http://caniuse.com/#search=SNI

So use your Google Analytics and break down your visitor profile stats for example one of my sites GA stats where ~1.669% of my visitors use WinXP and do not support SNI. If your visitor browser profile breakdown has a high percentage of WinXP users as some Asian countries do, then you may want a dedicated IP for SSL certificate :smile:

5 Likes

Thank you all for the explanations. I am using DirectAdmin for administering my server and it might have that control panel that caused me to think I needed that dedicated IP.

SNI is fully supported in DirectAdmin, it’s only disabled by default.
http://directadmin.com/features.php?id=1100

More specifically, the SSL library in Windows XP doesn't support it. You can use a different browser like Chrome or Firefox and those will work. Do keep in mind that many Windows applications won't work, though. Basically, anything using SChannel (Microsoft's SSL library) will be a problem.

1 Like

indeed WinXP Firefox is fine

As IIS 7 does not support sni I though I have to dedicate site’s ip but even I did not, site’s ssl works fine with shared ip. Is that normal?

If there is only one certificate (even if that certificate has several names in it), then SNI is not necessary, since the server can simply answer with this certificate and know it must be the right one. SNI is most relevant for shared hosting environments, where it is not at all practical for all the sites on a server to share one certificate.

I meant iis 7 does not support sni and I can install certifiacte without dedicating an ip to web site. So without sni usage, is it normal to use shared ip in iis ? Because everything seems normal.

If you’re saying that you have multiple sites but only one of them uses SSL, then yes that’ll work. SNI is only needed when you want multiple sites with different certs.

For older versions of IIS, you will need a unique IP (or port) for each certificate. If you have multiple sites on the server, but only one with a certificate you will only need the one IP. The HTTP/1.1 Host header takes care of selecting the right site for non-SSL connections on a shared IP.

Bluehost requires a dedicated IP.
https://my.bluehost.com/hosting/help/204