Pssst… If you are looking for quick answers regarding the process of or the technicalities in connection to installing SSL on an addon domain, just scroll down to the FAQ section. If you prefer to dive deep into the topic, just continue reading.
SSL certificates have become a must nowadays, when they not only serve as a ranking factor but are also necessary in order to avoid a website to be labeled as insecure in browsers as Google Chrome. While it so far has only been payment gateways and registration pages that were required to be encrypted and were labelled as insecure, if they weren’t, this is now about to change drastically. Beginning July 2018, Google Chrome will take the next step in the fight against the unencrypted web and will mark all HTTP pages as insecure, as the image borrowed from Google’s online security blog exemplifies:
The reason why this is happening now can be found in Google’s campaign for encryption that has resulted in broad adoption of SSL by both the biggest and small publishers. The expectation is that about 90% of web traffic will be encrypted by 2019.
While most credible domains online are already secured via SSL, this isn’t always the case with addon domains. The reasons for that are many, including the added cost. The most common reason is though that there are a lot of misconceptions about installing SSL on addon domains and very few resources helping website owners on the way.
This post will guide you through the process of installing a SSL certificate on an addon domain and will provide you with answers to the questions you have in relation to the process itself and the impact of installing two or more SSL certificates on a single hosting account.
What is an Addon Domain?
Addon domains are absolutely normal domains that you purchase and point to a website. What is special about them, is the way they are listed in your hosting account and the way you can use them.
Normally, you have one domain per hosting account, the primary domain. It points by default to the core of the hosting account, public_html. You upload your site’s files to this directory and they are hereby accessible via the primary domain.
Sometimes, however, you might want to make your site accessible via two or more domains. This could be in order to accommodate local versions of the website in different languages or it could be an attempt to reach different target groups.
In other cases, as your business and website grow, you find yourself registering subdirectory or subdomain sites. At some point though, you realize that you need to strengthen your brand by using separate domains per website branch.
While it is always recommended to keep only one website per hosting account to not exhaust its resources, often it is not possible or desirable to do so, as in the case of multilingual websites or if you don’t want to pay double up for hosting.
In these cases, you’ll be using an addon domain as a way to accommodate more than one top-level-domain websites in a single hosting account.
Such addon domains render as top-level domains but, file-structure-wise, point to a subdomain or subdirectory. Every time you register an addon domain, it is automatically listed as a subdomain of the primary domain. In practice, this means that you’ll be able to access the new site both via the addon domain and by typing newsite.primarydomain.com into the browser.
What is Special About Installing SSL on Addon Domains?
Addon domains are a bit special, as they share the hosting account with at least one other domain. As long as another domain on the hosting account already has SSL installed or is using a dedicated IP address, it might turn out that it is impossible to install SSL on the addon domain. The reason is that most accounts on shared hosting allow a single IP address to be associated with them. One IP address equals one SSL certificate per account, as long as the server doesn’t support SNI.
As long as the server doesn’t support SNI, the only way to secure multiple domains sharing a hosting account, is to use wildcard or multi-domain SSL.
What is SNI?
SNI, Server Name Indication, is an extension to the TLS (Transport Layer Security) networking protocol by which a client indicates which hostname on the server it is attempting to connect to at the start of the handshaking process. This makes it possible for the server to host and serve multiple SSL-secured websites, sharing a single dedicated IP.
All current web server software, including Apache, nginx, and IIS support SNI natively, meaning that servers updated to the latest versions allow you to use SNI to install multiple SSL certificates tied to a single dedicated IP address.
SNI was introduced back in 2003 but lacked browser support for years. The lack of support means in practice that websites, secured with SSL via SNI, are labeled as insecure by browsers not supporting SNI.
Fortunately, now 98% of client HTTPS requests support SNI, according to Akamai. Basically, all modern browsers support SNI. The reason why 2% of HTTPS requests still don’t, is that a corresponding percentage of internet users use outdated browsers, such as IE6 and Android 2.2.
It is therefore fairly safe to use SNI as a SSL-assigning method.
Prerequisites for Installing SSL on an Addon Domain
- The server supports SNI (as long as the primary domain or another addon or subdomain on the account already has or will have SSL installed). Most Apache, nginx, and Windows servers do support it but, as long as you are opening a new hosting account and you know you’ll be needing more than one SSL, it might be a good idea to ask the hosting provider, whether this is possible.
- A dedicated IP address must be associated with the account. When using shared hosting, you usually get shared or dynamic IP address. In order to be able to install SSL, you must request a dedicated IP address. Most hosts offer it as an extra service. Some hosts, however, offer it for free or as a standard service.
- You have purchased a SSL certificate for each domain that should be secured. SSL certificates are tied to a specific domain and can’t be used on any other domain. An exception here are the wildcard and multidomain certificates.
- You have access to the control panel of your websites on the server. This is necessary in order to issue a CSR (Certificate Signing Request) and install the certificate, once purchased. Be aware that the CSR must be issued on the same server, the SSL certificate will be installed on.
- You must have administrative rights for the domain you want to secure with SSL (for Domain Validation SSL, issuing the CSR is enough of a proof, for higher validation levels documentation is required).
Installing SSL on an Addon Domain (cPanel example)
To install SSL on any addon domain in your hosting account, follow these simple steps:
- Log in to your hosting account
- Navigate to the Security section and click on SSL/TLS
- From the SSL/TLS screen, choose Certificate Signing Requests (CSR)
- Fill out the CSR form with all relevant data. Choose to generate a new key, as long as you haven’t already generated one. Under domains, type the domain name only, that means without http. If your site is hosted on www.domain.com, this is what you should type. If your site is hosted on domain.com, this is what you should type. Enter your full address as requested and make sure everything is correct. If there is an error in your address or contact details, this might be grounds for refusal to issue a certificate. Worst scenario possible, your domain may be put on hold, if there is reasonable doubt that you have provided incorrect contact details when registering the domain. Once ready, click on Generate certificate.
- You’ll use the CSR in the process of configuring the SSL certificate. Once you purchase a SSL certificate, you are sent a mail or given a link that you can use to complete the configuration of the certificate. You should provide the CSR in the requested form (copy-pasted or as a file) during the configuration.
- Once the certificate is configured, you’ll receive a mail, containing several certificate files. One of these files is an installation instruction. Please read this file, as it contains important information.
- You upload all certificate files via the form found here: cPanel home->Security->SSL/TLS->Certificates.
- To upload a certificate, you can either copy-paste the code of the certificate or upload it as a file. This is host-dependent, as some hosts do not allow you to upload the certificate as a file. The outcome is, however the same, no matter which upload method you use. Upload all relevant certificate files that you received by mail.
- To install the certificate, go to cPanel home->Security->SSL/TLS->Install and manage SSL for your site.
- In the form, shown above, you have to choose the addon domain you want to install SSL on. The addon domain should already be registered in the account and pointing to the server.
- Either browse certificates (if already uploaded) or paste the certificate and the private key (that was generated during the process of issuing the CSR). If you were provided with and instructed to use the certificate authority bundle, paste it in the last field of the form. Once ready, click on Install.
- In the certificate list above the installation form, you can see all SSL-secured domains, associated with the hosting account. Make sure there are no warnings and that installing the new certificate did not affect the already installed certificates on other domains.
That’s it – now you have successfully installed SSL on your addon domain.
As a last step, try viewing the addon domain on as many different browsers as at all possible. As long as it is labelled as secure on them all, this means that everything went well. Just to make sure, check also whether the other domains on your hosting account are still labelled as secure (if using SSL on them). While it isn’t expected that installing SSL on an addon domain should affect other SSL sites, on a rare occasion it might happen, as long as the server doesn’t support SNI or experiences technical issues.
As long as you experience issues, please contact your hosting provider. They will be best to help you diagnose the problem and solve it.
Is it possible to host more than one SSL site on the same hosting account?
Yes. You can choose to use multi-domain or wildcard SSL certificate to secure all of your domains hosted on the same server. As long as the server supports SNI, you can install independent SSL certificates on the primary and any addon domain on your acount. You can also choose to secure subdomain sites with SSL.
Do I need a dedicated IP to install SSL on addon domain?
Yes. You must have 1 dedicated IP address associated with your hosting account. You do not need – and usually you can’t get – second IP address in order to install second SSL certificate.
Do all servers support SNI?
No. While this feature is widely supported by up-to-date servers, there is no guarantee that a hosting provider is using the latest technology. You should therefore always ask, when opening a new hosting account.
Will I experience SSL-inconsistency issues on the primary domain, when installing another SSL certificate on an addon domain?
No. Each certificate is exclusively tied to one domain, meaning that the two certificates won’t interfere on any level.
Will it affect SEO, if I use SNI to install SSL on addon domains?
No. While there are a few browsers that don’t support SNI and will still serve your site as HTTP, search engines accept this method of SSL installation. Therefore, you won’t be punished for it. The only factor that affects SEO, is using free or self-signed SSL certificates, as they are considered less reliable.
Does the second SSL certificate cost as much as the first one?
Yes. There is no discount based on the number of certificates you purchase. They are considered unrelated to each other.
What can I do if the server doesn't support SNI?
You cannot install more than one SSL certificate, as long as the server doesn’t support SNI. However, you can choose to use multi-domain or wildcard SSL certificates to secure addon domains.
I am using CDN. Can I still install SSL on an addon domain via SNI?
Yes. CDNs work by caching your static content and serving it to users. CDNs do not control or interfere with domain settings.