3

I am in the process of enabling HTTPS on my web sites. I have a web site, let's call it example.com, which is available both with and without a www. prefix.

I can now:

  1. request one SSL certificate for example.com and another one for www.example.com or
  2. request a single SSL certificate for example.com with a SAN for www.example.com.

I am aware that, from a security point-of-view, both solutions are fine (which is why I ask this question here instead of at security.stackexchange.com). Certificate renewal will be automated and the certificates themselves are free of charge (using Let's Encrypt).

Is there any reason to prefer one option over the other?

Heinzi
  • 263
  • 2
  • 7

2 Answers2

1

You would just need to order the one cert for example.com. The www is part of it or included by default. If you wanted other sub-domains, ie server.example.com, then you would either need a wildcard domain cert [*.example.com] or order two to cover the extra domain. Hope this helps answer your question.

Applied-Innovations
  • 11
  • 2
1

Is there any reason to prefer one option over the other?

Assuming the use of Let's Encrypt and that each certificate lists just the www and non-www versions of a single domain, the only likely drawback to using a SAN certificate is the possibility of some compatibility issues with older browsers, mostly prior to 2003.

On the positive side, there would be only a single certificate to automate for each primary domain (e.g. [www.]example.com). However, you might still want separate certificates for true sub-domains (e.g. sub.example.com) in case they need to be updated... so this could be a tossup benefit-wise.

As a purely personal opinion, I see no reason not to use a SAN certificate in this instance unless browser compatibility is a priority.

Anaksunaman
  • 811
  • 5
  • 8