So our firm wants to separate out our cloud servers into separate environments, so www.example.com, test.example.com and dev.example.com. [We may even want to break our subdomains into further sub-domains.] My boss wants to know how many certificates (for SSL) the firm will need.
I have delved into subdomains and looks like a question of DNS RR (Domain Name Server Resource Records). I have seen notes about A records and CNAME records and how they interplay. I am thinking that a mixture of A and CNAME records should suffice to separate out our namespace.
What of the certificates though, do we need an SSL certificate for every A record? My boss is keen to reduce cost (as are all bosses).
Best Answer
For each identity that one of your servers will assume (that is, each name a server will identify itself as), you'll need to have a certificate that matches that identity. An identity doesn't necessarily equal a DNS entry, but in cases when it does (such as web servers), it makes no difference whether the entries are CNAME or A (or even AAAA) records.
To make things a bit more complicated to understand, you don't necessarily need a different certificate for each identity. One single certificate may certify many identities (one primary and several alternate), and there are also the so-called wildcard certificates that can be used for any subdomain of a given domain (e.g. if you have a wildcard certificate for *.example.com, you can use it for www.example.com and anythingyouwant.example.com without having to have any of those two names explicitly listed in the certificate). However, wildcard certificates are more expensive than regular ones. While regular certs usually cost a couple tens of dollars, a wildcard cert typically goes for hundreds. Note that there are some certification authorities who will give you free regular certificates with certain limitations (for example, StartCom's basic StartSSL certificates are free, but can contain only two names, one of which has to be the root domain).
In your example, you have 3 identities (these are
www.example.com,test.example.com, anddev.example.com). For you, for now, I'd recommend getting 3 free certificates. If you ever get to the point where you need 20-30 different certs, you should consider buying a wildcard cert, as the costs (of the work hours) of having to renew 20-30 expiring certs manually each year would be higher than that of a wildcard cert.