What websites can be protected by a particular SSL certificate?
If you view the certificate in your web browser, you should be able to find the certificate subject alternative name
value for the certificate. This will show a list of all of the sites that can be secured using this certificate, in addition to the site shown in the common name
for the certificate. You may see wildcard values used in some of the names, such as *.hsbc.co.uk or *.security.hsbc.co.uk.
As an example, if you look at the certificate protecting this page, you'll see that Stack Exchange uses one certificate for all their sites:
Firefox :
Chrome :
The site we're currently on, https://security.stackexchange.com
is covered by the wildcard SAN *.stackexchange.com
.
Bear in mind that in order for any site listed in these fields to use this certificate, the site would need the private key that corresponds to the public key in the certificate.
These conditions must be met in order for your browser to make a SSL/TLS connection to the site, without warnings.
For a site to successfully use any given X.509 certificate (the type of certificate used by TLS/SSL), it has to meet a few specific requirements:
- It must have the correct private key for the certificate. Without this, nothing else matters, as the server won't be able to correctly encrypt the communications otherwise.
- The Certificate Authority who signed the certificate must be trusted by the user's browser (either because the browser developers/vendor inherently trusts it, or because the user (or the person who set up their system) configured the browser to trust it). Without this, the browser won't trust the certificate to be secure in and of itself.
- It must be accessed through a domain name that either matches the Common Name the certificate is issued to, or one of the Subject Alternate Names listed in the certificate. Without this, the browser may trust the certificate, but it won't let it be used for that site. Some browsers will not check the Common Name at all and require a Subject Alternate Name match.
- The certificate must still be valid. This means that the client system must see the date and time as being after the issue date listed in the certificate, but before the expiration date listed in the certificate. Depending on the browser and site, other checks may be made for this part as well (for example, it may check a certificate revocation list from the CA, or validate the certificate through OCSP). Not meeting this requirement is effectively the same as not meeting the second requirement.
Any website that meets all four requirements for the certificate can use that certificate. Some browsers may warn the user instead of blocking access to the site if any of the above requirements other than the first aren't met, though this is becoming less and less common as a result of HSTS becoming the norm (if a site has asked for HSTS, the browser should block all access without a certificate that doesn't meet all four requirements).
- A wildcard certificate is a digital certificate that is applied to a domain and all its subdomains (
*.domainname.example.com
) - With a multi-domain certificate you can secure multiple fully qualified websites with one certificate (
domainname1.example.com
,domainname2.example.com
, ...)