An SSL certificate is a protocol that provides a secure communication channel between a web browser and a server. SSL certificates reduce the risk of cyber-criminals stealing sensitive data.
Subdomains also require SSL certificates to prevent attacks through them.
This article will explain SSL certificates for subdomains and the difference between multi-domain and wildcard SSL certificates.
- SSL certificates are critical for the security of your website
- They encrypt the communication between server and browser, keeping confidential data protected and helping prevent cyberattacks
- Installing SSL certificates for subdomains on multiple subdomains can be expensive
- Wildcard and Multi-domain SSL certificates provide a low-cost solution by covering multiple subdomains
- Understand the differences between Wildcard and Multi-Domain SSL certificates and when to use each one
How SSL Certificates Work for Subdomains
The SSL certificates for a subdomain prevent hackers and criminals from intercepting the main site through the subdomain.
Why should you protect subdomains from attacks?
Subdomain takeover is a type of cyberattack where a criminal gets control of a subdomain and uses it to control the entire site.
This attack may happen if the subdomain has a CNAME in the Domain Name System (DNS). If there isn’t a published virtual host, an attacker can substitute their virtual host and control the subdomain.
Attackers can expand to other attacks like cross-site scripting and capturing sensitive information when that happens. Securing every subdomain is then critical to prevent attacks.
Do You Need an SSL Certificate for Each Subdomain?
While you don’t need an SSL certificate for each subdomain, a single-domain SSL certificate can cover only one primary domain or subdomain.
There’s where Wildcard SSL and Multi-Domain certificates come to help, allowing you to secure multiple subdomains with one certificate.
- A Wildcard SSL can encrypt your domain together with an unlimited number of subdomains.
- A Multi-Domain certificate can encrypt multiple domains, including their subdomains.
Can You Create an SSL Certificate for a Subdomain on a Different Server?
Hosting subdomains on different servers has several advantages. For instance:
- You can direct visitors to specific subdomains without them passing through the home page.
- You can improve operations by managing the blog from a WordPress host and the billing from another server.
The challenge comes when you need to secure SSL certificates on subdomains listed on different servers, which require you to buy separate SSL certificates. If you have a Wildcard SSL, you should install the same Wildcard certificate on each of the servers.
How do you install a Wildcard SSL Certificate on Multiple Servers?
- Generate a Certificate Signing Request (CSR) for only one of the servers
- Once the CSR is generated, you install the certificate on the server where you generated the CSR. Then, repeat the process with the other servers
- Copy the private key from the first server and paste it to the other servers
Can You Use One SSL Certificate on Multiple Subdomains?
Yes, if you use a Multi-domain SSL certificate or SAN (Subject Alternative Name). Unlike regular Certificate Signing Requests, which you cannot modify, you can add or edit a SAN certificate.
In our example for site22.com, if you also have other sites, you can cite them as subject alternative names of a single certificate.
You can also use a MultiDomain Wildcard certificate, which allows you to secure up to 250 and unlimited domains.
Multi-Domain SSL vs. Regular Wildcard SSL Certificates
Multi-Domain and Wildcard certificates secure both the primary domain and subdomains, but they have some differences:
A Multi-Domain certificate is a certificate that conceals several domains under one IP.
A regular Wildcard certificate secures one primary domain and an unlimited amount of its subdomains.
Wildcard SSL Certificate for Subdomain
A Wildcard certificate allows you to secure unlimited subdomains with a single certificate. Let’s have an example:
You purchase a domain named www.site22.com, an e-store. This domain has a different subdomain for each product category, like lp.site22.com, books.site22.com, shipping.site22.com.
A regular SSL certificate will only cover one Fully Qualified Domain Name (FQDN) domain. If you secure site22.com with a single SSL certificate, you’ll need a separate certificate to secure second-level subdomains of your site.
With Wildcard SSL certificates, you can secure all the subdomains at the same level as site22.com.
So, what’s the structure of a Wildcard subdomain?
* .site22.com, where the * is a placeholder for the subdomains it covers.
Multi-domain SSL Certificates
Multi-Domain certificates secure multiple domain names. These certificates are also called subject alternative name (SAN) certificates. Let’s continue with the site22.com example:
Let’s say you have other businesses besides site22.com, each with its website, and you need to secure all of them. Purchasing SSL certificates for each domain and subdomain can be cumbersome and expensive. You can secure all these sites with a Multi-domain certificate by adding them to the SAN certificate.
Wildcard SSL Certificate on GoDaddy and Other Domain Registrars
Users with websites hosted in GoDaddy can purchase GoDaddy Wildcard Certificates to secure unlimited servers and subdomains. Here are some of the features of GoDaddy’s Wildcard SSL certificates:
- SHA-2 and 2048-bit encryption
- Unlimited servers
- Displays trust indicator in address bar
- Padlock in the address bar
GoDaddy Wildcards are on the expensive side, at $260/year.
Namecheap Wildcard SSL Certificates such as PositiveSSL Wildcard and Comodo EssentialSSL Wildcard are available to users of Namecheap. It comes at a lower price of $39.99. Here are some of their features:
- Available in Domain Validation (DV) and Organization Validation (OV)
- RSA Key and 2048-bit
- Encryption up to 256-bit
Multi-Domain SSL Certificate on GoDaddy and Other Domain Registrars
A multiple-domain certificate is also called a Unified Communications Certificate (UCC), and you can use it on products hosted in GoDaddy.
These certificates can secure multiple primary domains and all the subdomains under them. The certificate is issued to the primary domain name, but it includes all the other domains and subdomains, connecting all of them.
Remember that you cannot add more names to a UCC once you use all the slots available.
Here are some of the features for a SAN (UCC) certificate in GoDaddy:
- A basic certificate protects up to 5 websites and up to 100 for an added fee.
- 2048-bit encryption
- Central dashboard for managing the security of up to 100 websites.
- Prices start from $142.94/year.
Does a Wildcard SSL Certificate Cover All Subdomain Levels?
A regular Wildcard SSL only covers subdomains at one level, but you can also have a Wildcard for two levels by using a Multi-Domain Wildcard SSL. It can cover the main domain and subdomains within a subdomain.
How does a Multi-Domain Wildcard SSL work?
To generate a CRS for a Wildcard SSL certificate for two levels, you first need to know which subdomain you wish to divide. For example, let’s say you use a first-level Wildcard for your site22.com with the designation * .site22.com; the (*) is a placeholder for music.site22.com, art.site22.com and shipping.site22.com.
To subdivide a subdomain, you must generate a CSR with the format *.music.site22.com instead of the FQDN. In this case, the Wildcard SSL certificate covers two levels of the music.site22.com subdomain but not for other subdomains. For example, if you want to cover the subdomains of art.site22.com, it needs its subdomain.
Which SSL Certificate Is Best for Subdomains?
Which SSL certificate you choose will depend on the structure and the strategy you want for your website. Here are some factors to consider when picking the right SSL certificate:
- The Certificate Authority (CA). Choose a reputable CA with strong encryption. Insecure or rogue certificates can be harmful.
- How many subdomains and how many levels your site has? Consider how many subdomains you plan and at how many levels. If you have two levels or more, consider a Multi-domain Wildcard SSL. A Regular Wildcard SSL can help if you have a single domain and multiple subdomains at a single level.
- Which validation level do you require? SSL certificates come with different levels of validation. Domain Validated (DVs) are best suited for static, single-domain sites, as they provide the lowest level of identity validation. Organization Validated (OV) and Extended Validation (EV) verify the domain owner and details such as physical address and status. Extended Validation SSL certificates are only available for Regular and Multi-domain certificates, while Wildcard SSLs usually provide OV and DV validation only.
- Single server or multi-server? While multi-server SSLs can be useful for subdomains, they can pose a security risk since they duplicate the keys.
- What type of hosting do you have?
How to Get a Free SSL Certificate for a Subdomain on GoDaddy with Letsencrypt
SSL certificates can be expensive, but you can get a free SSL certificate for a subdomain by installing Let’s Encrypt. Let’s Encrypt is a free SSL certificate provider, which makes it popular with small websites.
Let’s Encrypt works for shared hosting like GoDaddy and other hosting providers. To use a Let’s Encrypt certificate on your GoDaddy Linux Hosting account, manually configure the SSL certificate.
Besides, Let’s Encrypt certificates are only valid for 90 days. Because GoDaddy does not support auto-install on a Linux Hosting account, you need to renew the certificate every 90 days to prevent your website from showing a security error. Here are the steps to do it:
- Generate a Certificate Signing Request (CSR). Certbot, the certificate generator recommended by Let’s Encrypt, is not supported on GoDaddy, so you must use a third-party client.
- Verify your domain ownership. Follow the instructions of the third-party certificate generator to verify your domain.
- Install the certificate and private key in cPanel. Here are the steps to install a private key on cPanel.
- Log in to cPanel.
- Navigate to the Security section of the cPanel.
- Select SSL/TLS
- Select (KEY) and click Generate/View/Upload/Delete Your Private Keys.
- Select Upload a New Private Key.
- Return to SSL/TLS
- Remember to renew the certificate every 90 days.
Conclusion: Why Should You Use an SSL Certificate for Subdomains?
If you own a website or several, installing SSL/TLS security lets you encrypt the communication between the server and the browser. To make your website sure, you must secure your subdomains, too. Otherwise, a criminal can use your subdomain to infiltrate your website.
Therefore, installing an SSL certificate that covers your domain and subdomains will ensure your customer’s data privacy and prevent your website from being flagged as non-secure.
Next Steps: What Now?
- Go to register and choose your domain name, which should be your first step if you still need to register your domain. Create your subdomains in the control panel.
- Choose the hosting provider for your site.
- Decide which type of SSL certificate you need according to your website structure. Compare different Certificate Authorities and providers. Install the SSL certificates.