Is a Dedicated IP for each SSL Certificate still needed?
I get this question a lot: Is a dedicated IP address needed for each SSL-enabled website you host? The answer used to simply be “yes”. Luckily, advancements in web standards now allow you to run multiple SSL websites sharing a single IP address.
Today’s article is relevant to anyone who runs or is thinking about setting up an SSL-enabled website. IP addresses are becoming harder to get and more expensive, making this an important concern for all website admins and web hosts.
TL;DR
It the vast majority of cases, it is not necessary to have a dedicated IP address for each SSL certificate. SNI (server name indication) is widely supported and allows multiple websites to be hosted on a single IP address.
Table of Contents
What is SSL?
What precisely are SSL websites and how do they relate SSL certificates? SSL, or Secure Sockets Layer, is a protocol is used to encrypt communication between a web server and a client, like a web browser. This protects any transmitted sensitive information, such as credit card numbers or personal information, from being intercepted and accessed by outside parties.
To use SSL, a website must have a valid digital certificate installed on the web server. This certificate is A website has to have a valid SSL certificate installed on the web server if you want to access the website via SSL. This certificate contains the public and private key that is used to encrypt the connection and was issued by a certificate authority (CA). The domain name of the website is also included, which is used to confirm the server’s authority and identify the website the certificate is valid on.
The bad old days
For most of internet history, every SSL-enabled website would need it’s own IP address. This was a side effect of the SSL handshake process. Specifically, as part of the handshake process, the server needs to know which certificate to use for encrypting communications. Unfortunately, the domain you are trying to access is part of the data that would be sent on an encrypted basis. Because of this, the server didn’t know explicitly which website a browser was trying to access until after it had already selected a certificate. To make sure it could pick the correct certificate, the workaround was to have every IP address be associated with a single domain name. That way, for any request to a specific IP address, the webserver knew which domain you were trying to access, even before the web browser could tell the web server about it. The obvious downside here is that every SSL accessible website would need its own IP address. As IPs became more expensive, we needed a better solution.
Our hero, SNI, emerges
Thankfully, with the development of a technique called Server Name Indication, this has changed (SNI). A web server can host numerous SSL-enabled websites using SNI, an extension to the SSL/TLS protocol, on a single IP address. Since its initial standardization in 2003, this technology has gained widespread acceptance from web servers and browsers.
Multiple websites can share a single IP address via SNI, even if they have different SSL certificates. This can be a budget friendly solution to host a number of SSL-enabled websites, particularly for startups or websites with little traffic. Additionally, adopting SNI allows you to avoid paying for and maintaining several IP addresses, which will save you money and simplify server configuration.
To use SNI, no special effort is required. Nearly all modern web browsers and web servers support SNI, so unless you are using a very old version of these applications, you should be able to use SNI with little or no additional configuration. To configure apache for SNI, for example, is basically identical to configuring any other kind of virtualhost based website on apache.
What’s the catch?
Utilizing SNI has some limitations, but they are minimal. For instance, SNI may not be supported by extremely old web browsers and web servers, in which case you would need to have a dedicated IP address for each SSL-enabled website. However, since the majority of current applications support SNI, this is unlikely to be a problem for most users. Furthermore, even though the majority of hosting companies ought to offer SNI by this point, you should verify with your provider to see whether this is an option since some hosting companies might not.
In conclusion, it is a little harder than it used to be to determine if SSL-enabled websites need a dedicated IP address. Previously, the answer was unambiguously “yes,” but with the introduction of SNI, it is now both feasible and advised to utilize a single IP address for a number of SSL-enabled websites. Given that IP addresses are getting harder and harder to find with time, this is a huge relief.
Do you love servers?
We do! If you’re looking to optimize your server’s configuration, IOFLOOD can help. Our dedicated servers offer a range of solutions to fit your needs, and our team of experts is always available to answer questions you might have about your server.
To learn more about our dedicated servers and how we can help you with your specific needs, contact us at sales[at]ioflood.com or visit our website at https://ioflood.com. Our team is ready to answer your questions and help you find the best server for your needs.