Subdomains and SSL for Ecommerce

>>You either need a wildcard SSL certificate, or each domain needs its own certificate.
But could each domain have its own SSL cert but still be on the same IP?  Or is that an impossibility unless you call them using the IP as you mention (which I would not want to do).

Would a wildcard still work if I'm not doing subdomains like "a-hostname.yourdomain.com" and rather using "foobar.com" resolves to "mysite.com/foobar"?  I see that this is possible in the cPanel setup, but don't know how this would affect SSL.

>>I would never trust a web site using a wildcard certificate
Yes, but you're a sage  ;-)  Would others even notice?

>>It might be possible that someone sets up a domain like 'a-hostname-for-attacker.yourdomain.com'
What if I'm the only person administrating the site and have control over all the contents?

> Yes, but you're a sage  ;-)  Would others even notice?
what should a certificate be worth for, if the user is not able to see/identify its value?
Why not writing "everything is secure, don't worry" on your page, it's the same placebo then ;-)
Ask yourself: would you trust if someone presents the printed copy of her passwort with expiration date in 42 years?

> .. could each domain have its own SSL cert but still be on the same IP?
right and wrong
Traditional web servers and SSL are not able to handle multiple certs on the same IP (for example apache's virtual host). There're changes in the SSL/TLS protocol which allows that (sorry, no link handy).

> Would a wildcard still work if I'm not doing subdomains like "a-hostname.yourdomain.com"
yes

> ..  using "foobar.com" resolves to "mysite.com/foobar"?
certificates are for FQDN, mysite.com/foobar is a URL (including a path). Paths are not covered by certificates, only the host.
Maybe this is a acceptable solution for your problem: use paths for each store, but the same FQDN for all, something like:
  store.your.tld/bookshop/
  store.your.tld/gameshop/
  store.your.tld/magic/
...

When I said above using foobar.com resolves to mysite.com/foobar I don't think I explained well.  I meant that foobar.com is set up in cPanel as a subdomain.  You have to tell cPanel in which directory the subdomain contents reside - which would be mysite.com/foobar or mysite.com/foobar.com  So that in the address bar you see foobar.com even if contents is in the mysite.com/foobar/ directory.

So my question was - can subdomains that are set up like this - that actually are completely different domains but on the same account - still use a wildcard cert?

Here's a bit better of an explanation of exactly what I'm trying to accomplish, and perhaps you can tell me how you'd proceed.  I'll leave you alone after this and REALLY appreciate your help here!  You rock.

A manufacturer sells widgets.  He has distributors all over the US that sell the widgets he manufactures.  The manufacturer wants a site where he can sell these widgets in geo-areas that don't have a local distributor. But he wants sites built for all his distributors to sell the widgets too.

They'll all share the same layout with only the logo area changing (and obviously some back-end functionality).  So it makes sense to me, in order to share images, css files, javascript, templates, php stuff, etc. - that they'd all share the same vhost account so that one change will change everyone's and we're not having to constantly update 25 different distributor sites with things like small shifts in layouts or a change in the template or programming stuff.

Function-wise, it'd be fine to have them at widgets.com/florida, widgets.com/tennessee, etc.

However, since distributors are doing in-person sales, they will want to give out business cards that say "floridawidgets.com" and wouldn't necessarily like being widgets.com/florida.

For the most part everyone sells the same thing and I have no problem building the controls.  But it makes sense to me to have everyone on the same vhost account so they can share css files, javascript files, php includes, template layouts, images, etc -- so that one change will change everyone's and we're not having to constantly update 25 different distributor sites.

One final thing to consider is you'll have to excuse my ignorance with terms like vhost and anything apache.  I've never been trained in server admin stuff which is why I can build a complex program, but not have a master's understanding of things like ssl & apache.

So the options as I see it are these, and I'd love for you to either correct me, tell me which you'd use, or suggest something I'm not thinking of that you would do if this were your project:

--Tell the distrib's to get over it and just redirect floridawidgets.com to widgets.com/florida
--Use a wildcard cert and hope that most folks don't check
--Use different hosting accounts and give myself migraines on a daily basis updating everyone's sites

Again thanks SO much for your help here.  Points are yours, I just need a last bit of direction/understanding.  ;-)

Oh and one other consideration - each distributor would need the funds put into their account.  Just in case you were thinking perhaps of a shared checkout (which may still be an option in some way I'm not considering) --- if you buy a widget from the florida distributor, the money would go through his merchant account and not the distributor's.  So we're talking 25 different gateways, too.

> .. o give out business cards that say ..
then they should have the money to buy their own cert, otherwise it's no business (or just monkey business:-)

Anyway.
the SSL extension I mentioned is: TLS Servr Name Indication (SNI)
and can be found here:
http://www.ietf.org/rfc/rfc3546.txt
http://www.ietf.org/rfc/rfc4366.txt

OpenSSL compiled with a special extension does support it. Hence all web servers using OpenSSL should support it too. For an apache example see:
https://sni.velox.ch/

If you have apache, then you can configure virtual hosts for each subdomain where they all share the same IP. If the browser then also supports SNI (see above) then you're done.

(I'm not talking about the vulnerability traps you get with name-based virtual hosts:)

Hope this helps.

It's less about the money to buy their own cert and more about sharing a system as I described.  It's about me managing everyone's site by making changes to one thing rather than to 25 different css files or php scripts.  Many of the customers would have ie6 or windowsXP which all seem unsupported.  So your answer is -- if the TLS / SNI thing isn't going to work -- to have separate accounts/ip's / certs?

I think I'm with you now.  But in the documentation you provided, it mentioned that lots of browsers won't support SNI - such as ie6 and any ie on Win XP -- which seems like there's still enough users to be concerned about.  Am I off base?

you're right
So you get a cheap solution loosing users/customers not willing to pay for new software.
Or you pay per cert and an IP per cert, collecting cheap users too ;-)

Just an idea:
  if the content is the same anyway, and you want to support ancient browsers, how about setting up a default doman which then automatically gets all these users 'cause apache uses the first configured virtual host for SSL if SNI does not work.

haha, well sometimes it has more to do with age or ignorance of target end-market than with cheapness.

>>Or you pay per cert and an IP per cert...
Speaking of ignorance...lemme ask an ignorant question.  I'm not worried about this cost if it's needed -- but is this possible to apply with everyone still sharing the same docroot?

Thanks again for the help.

Subdomains do not work with wildcards.  You would need multiple wildcards or a multi-domain (SAN) certificate to host each name, which would need to be updated with each new addition.

Wildcards work this way:
*.domain.com:
site1.domain.com
site2.domain.com
anothersite.domain.com
customer1.domain.com

it would not work for:
site1.customer1.domain.com
site1.domain2.com

For the subdomain above, you would need *.customer1.domain.com

Another option is that you use one site and then use different virtual directories for each customer, keeping security in mind while setting up each virtual dir.
secure.domain.com/customer1/page.htm
secure.domain.com/customer2/antoherpage.htm

These would only require a standard SSL cert - not a wildcard - for secure.domain.com.  You could use a wildcard as well if you wished.

If you're using cpanel you are probably using apache.  Apache is a bit more configurable so you can point to a specific cert within each site's config, even on the same IP address.  IIS is not so giving in this area.  That could be a shared cert, or it could be a customer-specific standard or wildcard SSL cert, depending on need.  If you can get just one or two names to worry about, then you should be able to use standard ones to keep costs down.  Since is a store portal, you might consider getting an EV (extended validation) cert - those are the ones that turn the address bar green (e.g. paypal).

ahoffman has been patient and answered so much that I need to go ahead and award points.

Here's a link to a new question i just added to continue with new questions that have arisen out of this:
http://www.experts-exchange.com/Networking/Protocols/Application_Protocols/SSL/Q_24758860.html

Thanks!