Skip to main content
Information Security

You are not logged in. Your edit will be placed in a queue until it is peer reviewed.

We welcome edits that make the post easier to understand and more valuable for readers. Because community members review edits, please try to make the post substantially better than how you found it, for example, by fixing grammar or adding additional resources and hyperlinks.

Required fields*

5
  • well, I can't afford one certificate per tenant. I think my question is if there's any difference if I only buy one certificate and put all of them using the same domain (each tenant on a /directory/) or a wild card and each tenant on a subdomain. PS: How could someone steal the certificate? Commented May 28, 2012 at 11:59
  • Stealing the certificate is nothing magic. If the webserver need to be able to read it ( for https ), then code executing in the webserver ( like, let's say, mod_php ) can also read the certificate. There can be various restrictions however, but that's something to keep in mind. And indeed, there isn't much difference with the 2 approaches. I would say that if you later have enough money for 1 cert per domain, the first approach would permit a easier migration. Commented May 28, 2012 at 12:55
  • Note the following points, 1) the https certificates need an ip address per domain to be supported, 2) If you use a multi-tier architecture you can have the https decryption on web tier, the django on the app server tier, the db on the db tier and so the cert is on a different tier than the likely injection, so potential compromise is limited somewhat (separation of duties mantra). Commented Jun 7, 2012 at 21:56
  • No, you can use more than 1 https certificate per ip address with newer ssl library ( ie, using SNI serverfault.com/questions/109800/… ) Commented Jun 8, 2012 at 4:56
  • Hi @misc, I love the idea, but it needs browser support and if you are going to support older browsers (at all) then you need to use multiple ip addresses. Commented Apr 10, 2013 at 21:41