Why isn’t it possible to use a CNAME redirect with HTTPS

Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Learn more about Collectives

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

Learn more about Teams I guess it's for additional security. I don't know who enforces this though - the DNS, the browser, or Google – Pekka Feb 15, 2012 at 13:26 In addition to the answer below about multi-domain certs, it is also possible if you are using a service such as Cloudflare, which besides providing a DNS service also acts as a HTTP(S) proxy and terminates (decrypts) the SSL connection from the client before making its own (either HTTP or HTTPS - depending on settings) connection to the server and forwarding the content. – Danra Jan 29, 2019 at 12:56

Assume you have a CNAME record:

travel-maps.example.com CNAME c.commondatastorage.googleapis.com.
Browser resolves name travel-maps.example.com and gets IP for c.commondatastorage.googleapis.com, then connects to port 443 of this address. 
Server with this IP couldn't possibly[1] have proper certificate for travel-maps.example.com (and all other domain names with CNAME records like this). Only example.com domain owner could get a trusted cert for his own domain.
[1] Unless you uploaded the certificate to the CDN network which is a common feature nowadays.
                as Apache can distinguish what domain the browser is surfing on (with VirtualHost), why can’t it just serve the appropriate certificate for each one?
– qdii
                Feb 15, 2012 at 14:15
                This answer makes it clear why a CNAME from one owner to another wouldn't work with HTTPS, but not why a CNAME to another record owned by the same wouldn't. Could you describe that, please?
– kojiro
                Apr 23, 2013 at 14:52
                @kojiro If the server certificate will match CNAME record (travel-maps.example.com in this case) SSL will be working fine.
– kupson
                Apr 24, 2013 at 5:45
                But why couldn't I give Google a copy of my certificate?  Almost every site hosting supports it, including App Engine.
– Beni Cherniavsky-Paskin
                Mar 18, 2014 at 7:03
This is how CDN service provider such as Incapsula with works with HTTPS.
They just create a "Multi-domain" SSL cert for you.
You may check a demo cert-info in this site.
https://www.incapsula.com/
Any way, this kind of SSL cert is for business use in most case and are generally pretty expensive.
                so, if a CDN provides service to a HTTPS-site foo, does it mean that I am no longer using the certificate provided by foo, and instead relying on the CDN's one?
– qdii
                Oct 16, 2013 at 8:02
                No, you data still needs to be encrypted between your server and CDN server. Theoretically, you may use a self-signed ssl cert for your server.
– Shiji.J
                Oct 17, 2013 at 7:43
        Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.