Do I need a certificate to redirect via CNAME?
Neverever's answer is correct. You do need an SSL certificate. I wanted to add that it is because there is no such thing as a CNAME redirect.
A CNAME is not a redirect. A CNAME instructs the DNS to resolve to the same domain as where the CNAME points. The CNAME does not cause a redirect. It only causes the HTTP request for a domain to be made to the same IP address as requests for another domain.
The process a browser and operating system actually uses for getting a redirect from https://site1.example/
to https://site2.example/
is:
- DNS lookup for
site1.example
. Discover it it is a CNAME forsite2.example
. - DNS lookup for
site2.example
. Find anA
record for its IP address (192.0.2.4
, for example). - Open a socket to the IP address
192.0.2.4
on port 443. - Negotiate TLS (SSL) for the domain
site1.example
. Make the HTTPS request for
https://site1.example/
:GET / HTTP/1.1 Host: site1.example
Get the response back with the redirect:
301 Moved Permanently Location: https://site2.example/
- Perform another DNS lookup for
site2.example
. Find anA
record for its IP address (192.0.2.4
, for example). The DNS response will come from DNS cache this time. - Open a socket to the IP address
192.0.2.4
on port 443. - Negotiate TLS (SSL) for the domain
site2.example
. Make the HTTPS request for
https://site2.example/
:GET / HTTP/1.1 Host: site2.example
Get the response back with the content:
200 OK ...
Just to be able to redirect a HTTPS request you need DNS for that domain, a web server for that domain, and SSL for that domain. It doesn't actually matter if you use a CNAME
record or an A
record. A redirect can happen either way.
In fact, an A
record is almost always more efficient. DNS lookups are faster with direct A
records than with CNAME
records. CNAME
records require a second DNS lookup and don't make the rest of the redirection process easier.
Yes, you'll still need an SSL certificate for abc.example.com
Due to the nature of CNAME redirection, when you type abc.example.com
in the browser, the URL stays abc.example.com
, and this is where you need the SSL certificate.
SEO Tips
You might want to use 301 redirects instead of CNAME redirect, this will pass on the ranking power/juice from abc.example.com
to xyz.example.com
.
However, this would still require an SSL certificate.
Have you tried Let's Encrypt ? a certificate authority that provides free SSL certificate.