SNI Best Practice

[enigmait]

Hi,

Is there a best practice for SNI?

i.e my main server is hosted on ip 1.1.1.1 (not my real IP) and uses SSL to host the cpanel interfaces.

Shall I use a separate IP to host all the SNI websites that need certificates i.e 2.2.2.2 or put it all to the primary ip of 1.1.1.1?

 

[cPanelMichael]

Hello,

Here's a brief overview from our SSL FAQ document that explains how SNI support works:

SNI (Server Name Indication) support allows you to host multiple SSL certificates for different domains on the same IP address. At the start of the "handshake" process, SNI indicates the hostname to which the client connects. Users who are on shared servers that support SNI can install their own certificates without a dedicated IP address.

You can use the same IP address for multiple SSL certificates. The main caveat most people notice with SNI is that SSL becomes accessible for all domain names on the IP address, even if no SSL certificate is installed for the domain name:

My certificate installed, but visitors who try to securely access other sites on the shared IP address can only see the site with an installed SSL certificate, not my default domain.

Thank you.