[ikusalic]

Thanks. I'd actually prefer to by through Namecheap as well. I saw RapidSSL and PositiveSSL certs, but I thought they are not suitable if I want both w/ and w/o 'www' subdomain.

So if I buy RapidSSL or PositiveSSL through Namecheap for www.example.com, they will automatically come with example.com in SAN?

Also, why do they have "You also need to have a dedicated IP address" in the requirements? Is this used somewhere in the validation process? I'm asking because the website runs on top of AWS S3, so I do not have dedicated IPs.

[withaspark]

@ikusalic

> Also, why do they have "You also need to have a dedicated IP address" in the requirements? Is this used somewhere in the validation process? I'm asking because the website runs on top of AWS S3, so I do not have dedicated IPs.

The reason is because in the past browsers did not support name based virtual hosts for SSL and require a dedicated IP to negotiate the initial connection. Wikipedia gives a decent overview on SNI. [1] Amazon CloudFront supports SNI (SSL named virtual hosts) since last March [2]...I don't know if there are costs involved on the AWS side.

According to Qualys, the users of the following clients would not be able to negotiate a connection to your site if you don't have a dedicated IP and use SNI instead:

- Android 2.3.7

- BingBot Dec 2013

- IE 6 / XP

- IE 8 / XP

- Java 6u45

- Yahoo Slurp Jun 2014

Implementation notes for the more popular web servers for posterity or in case you migrate from AWS:

- Apache https://wiki.apache.org/httpd/NameBasedSSLVHosts

- Nginx.org links to https://www.howtoforge.com/how-to-set-up-ssl-vhosts-under-ng...

I know Digital Ocean/Linode/Rackspace also offer some really good resources too aside from the SSL provider docs. I've been extremely pleased with the certs/support Namecheap resells over the past 7 years. And they do include the bare domain in the SAN automatically--it has been included for all certificates I've ever purchased. Hope this helps!

[1] http://en.wikipedia.org/wiki/Server_Name_Indication

[2] http://aws.amazon.com/about-aws/whats-new/2014/03/05/amazon-...

[dangrossman]

> Also, why do they have "You also need to have a dedicated IP address" in the requirements?

Because a web server that hosts multiple secure websites needs a way to know which of the certificates to use to encrypt a new incoming connection. The way we disambiguate that is to give each website a different IP address. In short, it's about the way SSL works, not anything to do with validation.

[ikusalic]

Thanks for the explanation. To my understanding, that's only necessary when I actually use the certificate, not as the part of certificate validation. I assumed the validation would happen with me setting some DNS record with particular value they can validate or something similar.

[mattkrea]

I hadn't noticed that. Typically they only thing they need in terms of a domain when you actually activate the cert is they'll only be willing to send the cert to an email that can be found on a whois record. You should be fine.