CDN SSL Certificates
OnApp customers can import their own SSL certificates with the Subject Name Indication (SNI) extension.
| SSL Type | CDN Hostname | SSL Ownership | Support Browser* | Price |
| Shared | limited to *.r.worldcdn.net | OnApp Own | Ancient and Current | 0 |
| SNI | Follows CDN Hostname | Bring Your Own | Current | 0 |
| CloudSSL | Follows CDN Hostname | OnApp Owned | Ancient and Current | $600 |
SNI lets the client specify the hostname it is trying to reach at the start of the handshaking process. SNI is supported by most modern browsers, and provides an efficient way to deliver content over HTTPS using your own domain and SSL certificate. Custom SNI SSL relies on the SNI extension of the Transport Layer Security protocol, which allows multiple domains to serve SSL traffic over the same IP address by including the hostname viewers are trying to connect to.
Previously, OnApp applied SAN SSL certificate from a certificate authority to which additional certified domains can be added. This allowed you to host several domains on one IP by sharing the same certificate, and add all domains to this IP. However, the number of domains per SAN certificate is limited. Moreover, the certificate's size increases as more domains are added. This causes additional bandwidth to be used for the SSL handshake.
Currently, OnApp applies the CloudSSL+SNI solution. Users can import custom SNI SSL certificates into the system or request SSL to be enabled for their CDN resource. One SSL certificate can be associated with several CDN resources, but a resource can only be linked to one SSL certificate. Removal of a CDN resource does not affect the status of the SSL certificate associated with the CDN resource. However, some of the older browsers do not support SNI. In this case, users, who prefer browsers that do not support SNI, can purchase an SSL certificate and the SAN solution will be applied. On questions about the SSL certificate purchase, please contact OnApp support.
For the list of browsers that do not support SNI, kindly refer to the Server Name Indication article.
OnApp currently supports the following types of certificates:
- domain-validated (DV) certificate (example.com)
- single certificate
- wildcard certificate (*.example.com)
- SAN certificate (any domains)
- single certificate
- organization validation (OV) certificates
- single certificate
- wildcard certificate (*.example.com)
- SAN certificate (any domains)
- single certificate
- extended validation (EV) certificates
- single certificate
- wildcard certificate (*.example.com)
- SAN certificate (any domains)
- single certificate
- high-assurance certificates
- This feature is available for HTTP Pull and HTTP Push resources only.
- To add a custom SNI SSL certificates, the user needs to have the CDN SSL Certificates permissions enabled.
- Custom SNI SSL certificates can be used for secondary hostnames.
- A custom SNI SSL certificate can only be associated with a CDN resource if the certificate and the resource have the same owner. The drop-down list of SSL certificates in the CDN resource creation wizard shows only the certificates of the user who will be the resource owner.
- When a custom SNI SSL certificate is associated with a CDN resource, the certificate applies only to the edge servers subscribed to that resource.