Knowledgebase

A new way to serve SSL certificates

SSL certificates could only be set up on a one-per-IP address basis in the past.

While this one-to-one relationship is simpler to implement, there are a finite number of IP addresses that can be used on the internet, and they are in ever-shorter supply.

As such, one IP address per SSL is a very wasteful use of a limited resource.

That's why SNI (Service Name Indication) was developed, allowing multiple SSLs to be served from the same IP address.

We are obliged by the people who regulate the underlying internet technologies not to "waste" IP addresses, and the way Windows XP, and some older browsers, work with SSL certificates is considered wasteful.

This is why they are slowly being moved and why Windows XP is slowing down the adoption of better security standards for the Internet.

Old browsers don't support the new way

SNI is supported in all modern browsers on modern operating systems, though some people that use older browsers may find that when they visit a site with an SSL certificate on a shared IP address, they are warned it is not valid.

This is not a problem with the certificate, but a case of old technology not being able to differentiate between certificates served through one IP address.

Internet Explorer version 7 on Windows Vista is the oldest version of Internet Explorer that supports SNI.

Any older versions of Internet Explorer won't recognise this SSL certificates on shared IP addresses. Similarly, Internet Explorer versions 7 and 8, when run on Windows XP or older, will not recognise SNI SSLs.

The fix

In an age where software updates are readily available and can automatically be delivered to computers, there is not much reason outside of novelty to be using an old, insecure operating system or browser.

As time goes on, browsers that don't support what is becoming an integral part of internet technologies will become much fewer and further between.

Even in cases where an old operating system is being used, up to date versions of Google Chrome, amongst other browsers, can be installed, which do support SNI, allowing sites, and their SSLs, to load correctly.