Does each subdomain need it’s own SSL certificate?

Do You Need an SSL Cert for Each Subdomain

Yes and No, it depends. Your standard SSL certificate will be for single domain, say ‘www.domain.com’. There are different types of certs you can aside from the standard single domain cert: wildcard and multi domain certs.

A wild card cert will be issued for something like ‘*.domain.com’ and clients will treat this as valid for any domain that ends with ‘domain.com’, such as ‘www.domain.com’ or ‘ws.domain.com’.

A multi domain cert is a cert that is valid for a predefined list of domain names. It does this by using the Subject Alternative Name field of the cert. For example, you could tell an CA that you want a multi domain cert for ‘domain.com’ and ‘ws.mysite.com’. This would allow it to be used for both domain names.

If neither of these options work for you, then you would need to have two different SSL certs.

Do I Need a Dedicated IP for Each Subdomain

Again, this is a yes and no…it all depends on you web/application server. I am a Windows guy, so I will answer with IIS examples.

If you are running IIS7 or older, then you are forced to bind SSL certs to an IP and you can not have multiple certs assigned to an single IP. This causes you to need to have a different IP for each subdomain if you are using a dedicated SSL cert for each subdomain. If you are using a multi domain cert or a wildcard cert, then you can get away with the single IP as you only have one SSL cert to begin with.

If you are running IIS8 or later, then the same applies. However, IIS8+ includes support for something called Server Name Indication (SNI). SNI allows you to bind a SSL cert to a hostname, not to an IP. So the hostname (Server Name) that is used to make the request is used to indicate which SSL cert that IIS should use to for the request.

If you use a single IP, then you can configure websites to respond to requests for specific hostnames.

I know that Apache and Tomcat also have support for SNI, but I am not familiar them enough to know what versions support it.

Bottom Line

Depending on you application/web server and what type of SSL certs you are able to obtain will dictate you options.