简体繁体 English

SSL证书是SAN还是通配符？

[英]SSL Certificate SAN or Wildcard?

原文 2013-01-10 21:45:41 3 6 ssl/ certificate/ wildcard

I'm wanting to cover the a few domains with an SSL Certificate. 我想用SSL证书覆盖几个域。 eg 例如

portal.domain.com portal.domain.com
app.domain.com app.domain.com
app1.domain.com app1.domain.com
app2.domain.com app2.domain.com

I'm a bit confused as to whether I can go for the cheaper Unified Communications Certificate, or whether I need to fork out for a wildcard certificate. 对于我是否可以申请便宜的统一通信证书，或者是否需要派出通配符证书，我有些困惑。 Is the only difference that the wildcard can have an unlimited number of subdomains, where the UCC only covers a set number under the SANs? 通配符可以具有无限数量的子域（UCC仅覆盖SAN下的固定数量）的唯一区别是吗？

Thanks in advance 提前致谢

6 个解决方案

Yes. 是。 Keep in mind that some old X.509 implementations might not support SAN, but that's pretty rare today (some Symbian OS phones for example, see http://www.digicert.com/subject-alternative-name-compatibility.htm ). 请记住，某些旧的X.509实现可能不支持SAN，但是今天却很少见（例如，某些Symbian OS电话，请参阅http://www.digicert.com/subject-alternative-name-compatibility.htm ）。

Yes, you are right Unified Communications Certificate covers a set on SANs but it can secure multiple domains, and hosts configured in your Exchange server where a traditional wildcard SSL cannot. 是的，您是对的，统一通信证书涵盖了SAN上的一组证书，但它可以保护多个域以及在Exchange服务器中配置的主机，而传统的通配符SSL则不能。 For eg A wildcard ssl can secure first level of sub-domains like *.example dot com where a Unified Communications Certificate secures www.example dot com, www.example dot net etc. 例如，通配ssl可以保护第一级子域，例如* .example dot com，其中统一通信证书可以保护www.example dot com，www.example dot net等。

Generally, a domain name or URL requires just one certificate to be secure. 通常，域名或URL仅需要一个证书即可安全。 But what if you need to secure multiple domains? 但是，如果您需要保护多个域怎么办？ How can you manage their security without sacrificing budget and time? 您如何在不牺牲预算和时间的情况下管理其安全性？

Securing Multiple Domains 保护多个域

Securing multiple domains can be achieved with 2 approaches, Wildcard certificates and Unified Communications Certificates (UCC), also known as SAN (Subject Alternative Name). 可以使用通配符证书和统一通信证书（UCC）这两种方法来保护多个域，这也称为SAN（主题备用名称）。 SAN lets you specify additional host names (sites, IP addresses, common names, etc.) to be protected by a single SSL Certificate, while a Wildcard certificate can support a single domain and an unlimited number of first-level subdomains. SAN使您可以指定其他主机名（站点，IP地址，通用名等），以由单个SSL证书保护，而通配符证书可以支持单个域和不限数量的第一级子域。 SAN/UCC can also be combined as an extension with a Wildcard to add functionality to the certificate. SAN / UCC也可以作为扩展与通配符结合使用，以向证书添加功能。 You can combine these two certificates as a Multi-domain Wildcard SSL Certificate depending on your needs. 您可以根据需要将这两个证书组合为多域通配符SSL证书。 This makes managing the security of multiple websites much easier and cheaper than managing a separate SSL certificate for every domain you own. 与为您拥有的每个域管理单独的SSL证书相比，这使得管理多个网站的安全性变得更加轻松和便宜。

It's only cheaper up until a certain number of domains, because UC and SAN certs charge by each domain name. 直到一定数量的域，它才更便宜，因为UC和SAN证书按每个域名收费。 You'll notice the price changes as you enter and subtract domains from this UCC link 在此UCC链接中输入和减去域名时，您会注意到价格的变化

If you know that you will have more than say 5 subdomains, save some cash with the wildcard because it's a set prices regardless of the number of sub domains. 如果您知道自己将拥有5个以上的子域，请使用通配符节省一些现金，因为这是固定价格，与子域的数量无关。

UCC and SAN is only recommended for exchange server. 仅建议将UCC和SAN用于交换服务器。 your requirement seems like you need ssl with common name *.domain.com so that single ssl works for all sub-domains. 您的需求似乎需要通用名称* .domain.com的ssl，以便单个ssl适用于所有子域。

Know what exactly UCC and SAN is.. UCC / SAN cert is recommended only if you need to secure different tld like urdomain.com urdomain.co.uk urmydomain.net. 了解UCC和SAN的确切含义。仅当需要保护urdomain.com urdomain.co.uk urmydomain.net之类的其他tld时，才建议使用UCC / SAN证书。 This kind certs cost too much as it starts from $200. 这种证书的价格太贵，因为它的起价为200美元。

Answering your question, I checked few brands wildcard ssl RapidSSL wildcard, comodo positive ssl wildcard, globalsign alphassl wildcard, geotrust wildcard ssl. 在回答您的问题时，我检查了几个品牌通配符ssl RapidSSL通配符，comodo正ssl通配符，globalsign alphassl通配符，geotrust通配符ssl。 I tested these brands installed ssl website in my iPhone and Samsung android phone. 我在iPhone和三星android手机中测试了这些品牌安装的ssl网站。 All works perfect. 所有作品都很完美。

I reviewed many ssl providers for UC certificates pricing. 我查看了许多SSL提供商的UC证书定价。 Apart from the pricing, I found some ssl providers sell same product with different names, like multi-domains ssl, san certificate and uc certificates. 除了定价外，我发现一些ssl提供商出售具有不同名称的相同产品，例如多域ssl，san证书和uc证书。

Microsoft exchange server requires typical UC certificate, strongly recommended by Microsoft. Microsoft交换服务器需要典型的UC证书，这是Microsoft强烈推荐的。 I decided to purchase UC certificate but it costs too much, starts from $300 to $600 with veriour providers like comodo, globalsign, digicerts etc. First I purchase single domain ssl and failed in exchange server installation. 我决定购买UC证书，但费用太高，与comodo，globalsign，digicerts等Veriour提供程序的价格从300美元到600美元不等。首先，我购买了单个域ssl，但Exchange服务器安装失败。 I thought could save $$$ with single domain ssl. 我以为可以用单个域ssl节省$$$。

Later I searched for UC certificate prices $50 to $100 and found ssl2buy ssl company provides comodo uc certificates for $60 only and it includes 4 domains. 后来我搜索了50美元到100美元之间的UC证书价格，发现ssl2buy ssl公司仅以60美元的价格提供comodo uc证书，它包括4个域。

https://www.ssl2buy.com/comodo-multi-domain-ssl.php https://www.ssl2buy.com/comodo-multi-domain-ssl.php

I purchased this uc certificate and installed on my exchange server. 我购买了此uc证书，并将其安装在交换服务器上。 It works fine! 工作正常！ No error - No installation issue, nothing. 没有错误-没有安装问题，没有任何问题。