UCC SSL Certificate
What is a UCC SSL Certificate?
UCC stands for Unified Communications Certificate. A UCC SSL certificate secures multiple domains and subdomains with a single SSL certificate, unlike a traditional single domain SSL certificate which secures only one fully qualified domain name (FQDN).
For example, a Unified Communications Certificate SSL certificate can secure:
- example.com
- www.example.com
- mail.example.com
- login.example.com
- images.example.com
With a traditional single domain SSL certificate, you would need to purchase 5 separate SSL certificates for each of those domains and subdomains.
The technical term for UCC SSL certificates is Subject Alternative Name (SAN) certificates. The SAN extension allows specifying multiple domain names that are secured by the SSL certificate.
How Does UCC SSL Certificate Work?
A UCC SSL certificate works by using the Subject Alternative Name (SAN) extension to specify multiple domain names that are protected by the certificate.
Here is a simplified explanation of how a UCC SSL certificate works:
- The certificate applicant provides the list of domains and subdomains to be included in the UCC SSL certificate to the Certificate Authority (CA).
- The CA generates a certificate with the provided domain names included in the SAN extension.
- The CA signs and issues the certificate to the applicant.
- The applicant installs the UCC SSL certificate on the web server.
- When a user visits any of the domains specified in the SAN extension, the browser recognizes that the site is secured by that UCC SSL certificate.
- The browser sets up an encrypted SSL/TLS connection to securely transmit data between the server and browser.
- The browser checks that the domain name accessed matches one of the domain names in the certificate, establishing trust in the identity of the website.
Benefits of UCC SSL Certificates
UCC SSL certificates provide several advantages over traditional single domain SSL certificates:
Secure multiple domains and subdomains
The key benefit of UCC SSL certificates is the ability to secure multiple domains and an unlimited number of subdomains with a single SSL certificate. This eliminates the need to purchase separate SSL certificates for each domain and subdomain.
Cost savings
Purchasing a single UCC SSL certificate for multiple domains is much cheaper than buying individual SSL certificates for each domain. You get the cost savings from only paying one certificate fee.
Easier SSL certificate management
Managing multiple separate SSL certificates can be complex and cumbersome. With a UCC certificate, you only need to manage a single certificate for all your domains, which simplifies SSL certificate administration and renewal.
Flexibility to add or remove domains
UCC SSL certificates provide more flexibility to add or remove domains from your certificate. You can generate a new certificate with updated domains when you need to add or change domains.
Improved hosting environment compatibility
Some hosting environments like load balancers and reverse proxies require using a single SSL certificate across multiple domains. UCC SSL certificates are compatible with these environments.
Better site visitor trust and conversion
Securing all your domains with SSL certificates shows site visitors that you take security seriously. It establishes trust and may improve conversions.
Difference Between UCC SSL Certificates and Wildcard SSL Certificates
UCC SSL certificates are sometimes confused with wildcard SSL certificates, but there are some key differences:
Number of Domains Secured
- Wildcard SSL certificates secure unlimited subdomains of one base domain – e.g. *.example.com.
- UCC SSL certificates can protect multiple main domains and their subdomains – e.g. example.com, abc.com, mail.example.com.
Adding or Changing Domains
- With a wildcard SSL certificate, you cannot add new base domains – only subdomains of the original domain.
- UCC SSL allows you to add or remove main domains more flexibly when you renew the certificate.
Browser Compatibility
- Older browsers may not recognize wildcard SSL certificates properly. This can result in certificate warnings.
- UCC SSL certificates have wider browser support and generally do not have compatibility issues.
Level of Trust
- Because a wildcard SSL certificate secures an unlimited number of subdomains, it may be seen as less trustworthy by end users.
- UCC SSL certificates explicitly list all secured domains, so provide clearer validation and trust.
Cost Differences
- Wildcard SSL certificates typically cost more than UCC SSL certificates for the same number of domains.
- However, if you need to secure a very large number of subdomains, wildcards may be cheaper.
What Domains Can Be Added to A UCC SSL Certificate?
UCC SSL certificates are very flexible in the domains that can be added to them, with just a couple restrictions:
You own or control the domains
All domains added to a UCC SSL certificate must be domains that you own or control. The Certificate Authority will check domain ownership and control as part of the validation process before issuing the certificate.
Domains must be at same level or below your main domain
The Certificate Authority allows domains and subdomains that are at the same level as your main domain or below it.
For example, if your main domain is example.com, you can include:
- example.com
- www.example.com
- images.example.com
- blog.example.com
But you cannot include a completely different second-level domain like abc.com, because it is not under your main domain.
A single UCC SSL certificate typically can contain domains across these levels:
- Primary domain – example.com
- Level 1 subdomain – www.example.com
- Level 2 subdomains – login.example.com
- Up to 5-10 subdomains depending on the CA
Some CAs may allow adding second-level domains owned by the same organization, but domain control for all domains must still be verified.
Overall, you have flexibility in adding multiple subdomains across levels under your main registered domain.
Validation Process of Unified Communications Certificate
All SSL certificates go through a domain validation process before being issued by the Certificate Authority (CA). This helps establish that the certificate applicant legitimately owns or controls the domains being secured by the SSL certificate.
Here are the typical steps in the UCC SSL certificate validation process:
Domain ownership verification
The CA will verify that you own or control all the domains being included in the UCC SSL certificate using one or more methods:
- Email verification – The CA sends an email to the contact addresses listed in the WHOIS domain registration records for each domain requesting confirmation.
- Domain authentication – The CA provides a unique token or hostname that must be placed in the DNS records of each domain to confirm control.
- File verification – The CA requires uploading a specific file to the host server or website root folder to validate domain control.
Organization authentication
For Extended Validation (EV) UCC SSL certificates, the CA does thorough background checks to authenticate the identity and legal registration status of the applicant organization.
Issuing process
Once all domains in the UCC SSL certificate have been validated and the organization has been authenticated, the CA generates the certificate with the requested domains in the Subject Alternative Name (SAN) extension.
The certificate is digitally signed by the CA’s root certificate and delivered to the applicant for installation.
Revocation checks
The CA may periodically check if domains are still under the applicant’s control or if the certificate has been revoked for any reason. If domains are no longer controlled, they may be removed upon renewal.
Proper validation establishes trust in the domains protected by the UCC SSL certificate when used on a website.
Which Web Servers Support UCC SSL Certificates?
UCC SSL certificates are supported by all major web servers, including:
- Apache
- Nginx
- Microsoft IIS
- Tomcat
- Google Servers
- Zeus
- Sun Java System
- iPlanet
The universal server support for UCC certificates comes from adherence to the RFC 6125 internet standard. This standard specifies how servers should handle certificates with Subject Alternative Names.
As long as your web server supports SSL/TLS implementation compliant with RFC 6125, it can validate and use a UCC SSL certificate. Most current web servers properly support SAN certificates.
The process to install and configure a UCC SSL certificate is the same as installing a regular single domain SSL certificate on each web server platform. You simply paste the UCC certificate files from the CA rather than a single domain certificate.
However, older web server software versions may have bugs or limitations around handling UCC certificates and multiple SAN entries. Check your web server’s SSL documentation to confirm UCC certificate support if using older server software.
What is the Cost of UCC SSL Certificates?
UCC SSL certificates typically cost more than a standard single domain SSL certificate, but less than purchasing multiple separate SSL certificates.
Some factors that influence UCC SSL certificate pricing:
- Number of domains – More domains in the certificate generally costs more.
- Validation level – Domain validated (DV) certificates cost less than organization validated (OV) certificates. Extended validation (EV) certificates are most expensive.
- Provider reputation – Certificates from top providers like DigiCert or Comodo carry a premium.
- Term length – Longer terms like 2 or 3 years are more expensive than 1 year certificates. But the annual cost is lower.
- Support levels – Certificates with full phone and email support cost more than fully automated certificates.
- Business validation – Some providers offer business validated certificates that require company identity verification.
Major UCC SSL Certificate Providers
While there are dozens of SSL providers globally, these are some of the top UCC SSL certificate providers to consider:
DigiCert
DigiCert is the world’s leading SSL certificate provider, used by over 50% of the Fortune 500. They offer highly trusted domain and organization validated UCC certificates with strong support options.
Comodo
Comodo is another top global SSL provider, known for affordable domain validated certificates and great customer support. Their UCC SSL certificates offer good value.
GlobalSign
GlobalSign is a respected CA that provides UCC SSL certificates with a wide range of validation levels. They also offer secure code signing certificates.
Entrust
Entrust Datacard is a longstanding CA that provides UCC SSL certificates backed by strong identity verification practices and encryption technologies.
Symantec
Now part of DigiCert, Symantec SSL certificates come with the Norton Secured seal for strong trust and conversion impact. Their NetSure protection warranty covers losses from security breaches.
RapidSSL
RapidSSL is focused on budget-friendly domain validated UCC SSL certificates while still maintaining strong security and encryption.
Sectigo
Sectigo (formerly Comodo) has a wide selection of SSL certificates including basic cost-effective UCC certificates as well as premium certificates.
Make sure to compare pricing, validation levels, customer service, and other features when choosing a UCC SSL certificate provider.
Revoking or Reissuing a UCC SSL Certificate
Occasionally you may need to revoke and reissue a UCC SSL certificate, such as when domains change or the certificate is compromised.
Revoking a certificate
You can revoke a UCC SSL certificate through your CA account dashboard. Revocation tells web browsers the certificate should no longer be trusted. Reasons for revoking include:
- One or more domains no longer owned or controlled
- Key compromise or website security breach
- Company is rebranding with a new domain
- Business is closed or certificate no longer needed
Reissuing a certificate
If you need to modify the list of domains in your UCC SSL certificate, or replace a revoked certificate, you can request a certificate reissue:
- Log in to your CA account and request reissuance with the updated domain list.
- The CA will go through the standard validation process to verify domain control.
- Once validated, the CA generates and provides a new UCC SSL certificate file with the updated domains.
- Install the new certificate file on your web server to replace the old certificate.
Frequently Asked Questions
How many domains can be added to a UCC SSL certificate?
Most standard UCC SSL certificates can include around 10-25 domains depending on the provider. Some CAs may allow adding more domains for higher tier certificates.
Do all domains in a UCC certificate need to use the same server?
No, the domains in a UCC SSL certificate can use different web servers. The only requirement is that the certificate is installed on each server.
Can I create subdomains after purchasing a UCC certificate?
Yes, you can freely add new subdomains after issuing the UCC SSL certificate without needing to reissue the cert. The certificate secures any matching subdomain.
What is the key size for UCC SSL certificates?
Most providers issue UCC SSL certificates with 2048-bit RSA keys. Some providers may offer higher bit keys like 4096-bit for higher security.
Can I reuse a previous SSL certificate after adding/removing domains?
No, UCC SSL certificates must be reissued as fully new certificates when domains change. You cannot simply reuse the existing .CRT and .KEY files.
What is the difference between SAN and UCC certificates?
SAN and UCC refer to the same type of multi-domain SSL certificate. SAN means Subject Alternative Name, while UCC means Unified Communications Certificate.
This covers the key things you need to know about UCC SSL certificates! By securing multiple domains with one UCC SSL cert, you can save on costs while still maintaining strong SSL security across your website.