1. Home
  2. Security
  3. SSL
  4. Best Practices for SSL Certificates

Best Practices for SSL Certificates

Shared

VPS

Dedicated

WP Enthusiast

WP Professional

WP Professional Plus

If you’re implementing SSL on your site, you want to do it in the best way possible. Take a look at our best practices list below to see what you should (and shouldn’t) do while setting up your SSL certificate.

A site that has been correctly set up using SSL should fall into two categories:

  • The site has its own dedicated, not-shared IP address
  • The site shares an IP address with other sites that are SSL-enabled

When you add a domain to your hosting account, you must choose a type of IP hosting for the domain. One of these options is a dedicated IP. A dedicated IP address is wholly devoted to your domain and all of its resources will be dedicated to the domain's use.

Consequently, having a dedicated IP address gives your domain more power. However, another IP hosting option is to share a dedicated IP address between one or more domains. This is a shared IP address. For more information on the different types of IP hosting, check out our article What Types of Domain Hosting are Available.

Which one is your site?

So which camp does your site fall under? Well, if you don’t know, you have to go check your domains. You can do this by going to the Account Control Center, clicking Domains in the left sidebar, then clicking Manage Your Domains in the drop-down.domain sharing image

This will take you to the Domain Name interface. Your domains will be listed here, along with the type of IP address each domain is using.shared ip image

If you click the name of a domain using a Shared IP, you will be able to see which domain’s IP address it is sharing.shared ip address image

By this method, you will be able to figure out whether or not your domain is being shared.

Why does this matter?

Errors can happen if an IP address is shared, but not all domains have the same configuration. Ideally, you want all the domains sharing an IP address to match, such as all domains have SSL certificates or all domains do not have SSL certificates. The errors happen when you have a combination of some domains with SSL and some without on the same IP address.

This is because SSL certificates use port 443, which allows for encryption. The server knows to use port 443 when the URL begins with HTTPS. However, if there is no SSL certificate on a domain, the URL will begin with HTTP and use port 80.

Things get tricky when there is a combination of SSL-using and non-SSL using domains on a single IP address. If a visitor attempts to use HTTPS to try to connect to a domain on the IP that doesn’t have SSL, the server can get confused and potentially send the visitor to the wrong domain.

So for example, let’s say you share a domain with two other domains. The one domain has an SSL certificate, but the two domains do not.mismatched ssl image

If someone tries to go to the HTTPS version of one of the shared domains that do not have an SSL certificate, the server may accidentally send them to the domain that does have SSL.intended path image

However, if all domains that are sharing the IP address have an SSL certificate, the server will be able to distinguish between each domain and accurately direct traffic.matching ssl image

Configurations

If you have a shared IP address, make sure that all the domains match: either all domains have SSL certificates or all domains do not.

Good Configurations Examples:

Here are some examples of configurations that would work without errors.

Domains SSL Certificate IP Address
domain1.com No SSL 1.2.3.4
domain2.com No SSL 1.2.3.4
domain3.com No SSL 1.2.3.4
domain4.com No SSL 1.2.3.4

No errors are introduced because all of the domains above share the same IP address and do not have any SSL certificates configured.

Domains SSL Certificate IP Address
domain1.com SSL 1.2.3.3
domain2.com SSL 1.2.3.3
domain3.com SSL 1.2.3.3

No errors are introduced because all the domains above have the same IP address and have an SSL certificate.

Domains SSL Certificate IP Address
domain1.com SSL 1.2.3.5
domain2.com No SSL 1.2.3.4
domain3.com SSL 1.2.3.5
domain4.com No SSL 1.2.3.4

No errors are introduced because domain1 and domain3 share the same IP address and SSL certificates, while domain2 and domain4 share a different IP address and have no SSL certificates.

Bad Configuration Examples:

Here are some examples of configurations that could result in errors and should be avoided.

Domains SSL Certificate IP Address
domain1.com SSL 1.2.3.5
domain2.com No SSL 1.2.3.5
domain3.com SSL 1.2.3.5

This configuration would generate errors because domain2 has no SSL certificate, while domain1 and domain2 do have SSL certificates. If domain2 was moved to another IP address, then no errors would be generated on this IP address.

Be sure to move domain2 to its own IP address or an IP address that is only shared with domains that do not have SSL certificates.

Domains SSL Certificate IP Address
domain1.com No SSL 1.2.3.6
domain2.com No SSL 1.2.3.6
domain3.com SSL 1.2.3.6

This domain set up would generate errors because the domains sharing the IP address do not have the same SSL configuration. domain3 has an SSL certificate, while domain1 and domain2 do not. Moving domain3 to a new IP address would solve the problem on this IP address.

You would need to make sure you move domain3 to its own IP address or one that only shares with domains that also have SSL certificates.

How to Fix a Bad Configuration

If you have a combination of SSL-using and non-SSL-using domains, there are generally two ways to fix it. You can move one group of matching domains to another IP address or you can generate/remove SSL certificates for the rest of the domains so they all match. You can manage your SSL certificates in the Manage Your SSL interface in the Account Control Center.

To find the Manage Your SSL Interface:

  1. Log in to the Account Control Center
  2. Click Security in the left sidebar, then click Manage Your SSL in the drop-down

To move domains to another IP address, you can edit the hosting type of the domain. You can switch the domains to share another dedicated IP address that matches the same SSL configuration. If you do not have another domain with a dedicated IP address and the same SSL configuration, you may want to instead change one of the shared domains to a dedicated domain.

For more information about changing hosting type, see our article How to Change Your Domain’s Hosting Type.

Updated on August 16, 2019

Was this article helpful?

Related Articles

Need Support?
Can't find the answer you're looking for?
Contact Support