How to Use One SSL Certificate for Your Entire Multisite Network

How to Use One SSL Certificate for Your Entire Multisite Network

Securing your site with an SSL certificate should be an important part of your security arsenal in order to help protect your data and users. Luckily, our Domain Mapping plugin has made it a snap to secure your entire Multisite Network with HTTPS.

With Domain Mapping, you can set custom domains for each site in your network along with services like:

  • One certificate per network
  • Force use of https
  • End user domain mapping
  • Global logins across all sites
  • Check the health of domains
  • Sell features as paid upgrades
  • Offer features individually
  • Resell domains to users
  • Restrict login to mapped domain
  • eNom and WHMCS integration
  • Exclude pages from using https
  • Pro Sites and MarketPress integration

This is all just the tip of the iceberg. There are a lot more juicy features included out-of-the-box. With Google’s announcement to boost search engine rankings for sites using SSL certificates, it’s even more important to protect your Multisite Network.

I’ll show you how to get started by setting up the Domain Mapping plugin to use one SSL certificate for your entire Network in this Weekend WordPress Project.

Choosing the Best SSL Certificate for Your Network

There are three main kinds of SSL certificates you can use and the right one for your network will depend on the type of setup you would like to achieve.

Mapped domains
Your users can further personalize their site with their own domains.

A Multi-Domain (UCC) SSL certificate will allow your users to choose their own domain to display.

It may be important for you to know that many Certificate Authorities have a limit to the number of certificates that can be issued for a single IP address so if you are running a large network of over 100 people, another solution may be necessary.

In such cases, adding another virtual host with SNI can help you to achieve this result.

Domain mapping with SSL certificates and sub-directories.
Every site in your network can enjoy the privilege once reserved for single installs.

A Standard SSL certificate can be used for Multisite installs with subdirectory paths such as https://www.your-site.com/site1/ and https://www.your-site.com/site2.

Standard certificates typically cost less, which is also a bonus.

On the other hand, if your Multisite is set up with subdomains, then a Wildcard SSL certificate will let your customers enjoy domains such as https://site1.your-site.com and https://site2.your-domain.com.

You can also choose an Extended Validation (EV) certificate which would work well for subdirectory installs, but with an added layer of security. It also includes visible validation for your users to see your site has gone through a more rigorous screening process to ensure your site is safe.

Once you have decided on the kind of SSL certificate you need for your Multisite, it’s time to purchase and set one up for your main network’s domain. If you would like more information on SSL certificates and how to use them in WordPress, check out our post How to Use SSL and HTTPS with WordPress.

Installing the Domain Mapping Plugin

Once your certificate has been successfully installed, you’re ready to setup the Domain Mapping plugin. For full details on how to get started, check out our comprehensive guides on our plugin’s page and our article The Ultimate WordPress Domain Mapping Plugin Just Got Better.

When Domain Mapping is all set up, you’re ready to configure your network’s SSL settings.

Activating SSL Across Your Network

Go to your network admin’s dashboard > Settings > Domain Mapping and scroll down to the section labeled Force http/https (Only for original domain). You’ll be asked if you would like to force https in login and admin pages. Selecting Yes will ensure you will be redirected to the secure version of your site every time you visit, even if you do not type in the “https” prefix.

SSL is forced for both admin and front end pages.
SSL is forced for the entirety of the main site, but you can use the settings that work best for you.

You will then be asked if you would like to force https or http for front end pages. For the highest level of security this option provides, choose Force https.

Now your main site will be protected with SSL encryption for each visit you make to your site, but what about your users’ sites?

Not a problem, the latest update has got you covered! Scroll down to the bottom of the page to the section Enable excluded/forced urls. This is where you can choose which features your users are able to set up.

The options for letting users control domain mapping and forced https for their sites.
The features are all optional. Choose the ones that fit your specific needs.

Your users are referred to here as site admins. You can opt to let them choose pages to exclude from being mapped and if they would like to use your SSL certificate for their site as well.

There are also two plugins which integrate well with Domain Mapping and can help you earn extra income.

With the Pro Sites plugin, these capabilities can be monetized as premium upgrades. You can also choose to sell these features individually with the MarketPress eCommerce plugin.

With these plugins, you can make your own paid memberships sites like the über-popular edublogs.org and wordpress.com sites.

With these settings complete, your users can go to their admin dashboard > Tools > Domain Mapping and complete the steps to add their own domain and make use of your SSL certificate without installing their own.

The "Domain Mapping" page under the user's admin dashboard > Tools.
Remember, your users can map their own domain and use https if you have a multi-domain SSL certificate installed.

You could optionally choose to disable your site admins from mapping their domain themselves and default them to your network’s path by installing and setting up Pro Sites. You can also limit many other features as needed with this plugin as well.

Conclusion

That’s it! You’re all set to use one SSL certificate for each site in your network. If you’re interested in having the feature of letting your users select between multiple domains they can use for their site upon sign up, check out out Multi-Domains plugin.

Expert support is also included with all the plugins I’ve mentioned here so if you find you run into troubles during setup, feel free to ask your questions in our 24/7 Support Forum.

If you’re interested in other ways you can power-up your site, check out some of our other articles: Adding Premium Upgrades to Your Multisite Network with Pro SitesGive Your Customers Top-Notch Service with Support System and Using Appointments + to Setup and Streamline Client Consultations.

What are your plans for pairing Domain Mapping and SSL? Have you already included in your network? Even better! Share your experience and tips in the comments below.

31 Responses

    Connor

    Hey, this is pretty cool, I didn’t even realize you could do this, and it certainly makes HTTPS more practical for smaller sites. It does seem difficult to implement across the bulk of the web until IPv6 has really pushed IPv4 out of the way. I wonder if Google’s boost applies to static pages and blogs? Doesn’t seem much need for security on pages with no input. This page isn’t HTTPS, for example, although it does work as one.

    Still, cool piece of tech. I could set this up with your plugin, easy, and I wouldn’t know where to start without it.

      Jenni McKinnon

      Hey Connor,

      Glad you like the idea!

      You bring up excellent points. As far as my understanding goes, the Google boost applies to all sites that use an SSL certificate, even static blogs. I agree, though, not much use for an SSL certificate on static sites.

      There is an open source SSL certificate issuer launching very soon that is partnering with companies like Automattic, Cisco, Mozilla and others called Let’s Encrpt: https://letsencrypt.org/.

      Soon you’ll be able to get an SSL certificate for your site for free, even if it’s static so you can get the boost.

      Thanks for sharing your awesome ideas!

      Cheers,

      Jenni McKinnon

      Jenni McKinnon

      Hey Max,

      I’m so glad you’re enjoying the plugins. I, myself, am extremely excited about the idea of using one SSL certificate across an entire network with the Domain Mapping plugin. It just opens up way more possibilities as you mentioned.

      You make excellent points, thanks for sharing them!

      Cheers,

      Jenni McKinnon

      Jenni McKinnon

      Hey Dyego,

      The SSL certificate will apply to the subsites in a Multisite network that are not remapped with their own domain. If a user wishes to use their own domain, a separate certificate will be needed.

      However, if you want to let your users choose between several domains to use for their site that you pre-set, then you can use one SSL certificate for each of those domains and the certificates can be applied to the subsites. To achieve this kind of setup, you would need our Multi-Domains plugin. You can find more information about it here: https://premium.wpmudev.org/project/multi-domains/

      Hope that answers your question and if not, let me know and I’ll do what I can to help you out.

      Cheers,

      Jenni McKinnon

    Sharjeel

    Hi, Thanks for nice information.
    In reply to the last answer: I want to be able to use SSL if the users choose their own domain name.
    Can I install two wildcard certificates on one cPanel account? Or one standard SSL and one wildcard SSL?
    Please tell me some way to use SSL in case client is using his own domain name (www.example.com)

      Jenni McKinnon

      Hey Sharjeel,

      SSL certificates apply for only the domain where they’re registered. This means that a wildcard SSL certificate for http://www.yoursite.com works if you want to create multiple sub-domains that are protected using that domain. For example, site1.yoursite.com, site2.yoursite.com, etc.

      If you would like to also offer an SSL certificate for clients who want to choose their own domain, they would need their own certificate. If they would like the same capabilities as you described above, you would need two wildcard SSL certificates. If your client just wants to use their own domain with no sub-domains, then they would just need a standard SSL certificate.

      The only stipulation is that our Domain Mapping plugin automates domain mapping, but doesn’t issue SSL certificates automatically. With the instructions in this post, you would need to issue SSL certificates manually or else your client would need to do this themselves.

      If you’re looking to automate the SSL certificate issuing process, you could use an SSL certificate re-seller service and integrate it with our Pro Sites plugin to offer it as a paid service.

      Hope that helps.

      Cheers,

      Jenni

    Sam

    I’m having a little trouble understanding how this could apply to my situation.

    Let say I have a WordPress multisite with sub-domains, and a Wildcard SSL certificate. I want to map a domain name to that sub-domain, but want to exclude certain pages from the mapped domain (e.g. cart checkout). For example:

    site.com is mapped to site.host.com. When a visitor on site.com goes to the checkout page, they’re redirected to https://site.host.com/checkout

    Can this be achieved with the domain mapping plugin mentioned in the blog post? I see the picture has excluded pages (https://premium.wpmudev.org/blog/wp-content/uploads/2015/05/user-domain-mapping.png) but don’t know if this would apply. I could see this as really useful.

      Jenni McKinnon

      Hey,

      This happens if your mapped domain does not contain your main domain.

      For example, if your domain for your main site is your-domain.com and your mapped domain is second-domain.com then your SSL certificate that was installed on your-domain.com will deliver an untrusted certificate error message when you try to access the mapped, second-domain.com since the SSL certificate isn’t registered to that domain.

      If instead, your second site was your-domain.com/second-domain, your SSL certificate would still work even though it’s two separate sites since both sites are using the same domain.

      Or, if your second site was second-domain.your-domain.com, the SSL certificate would also work, but only if you have what’s called a wildcard SSL certificate installed. If you have a standard certificate installed or any other certificate for a single domain, it won’t work.

      Long story short, if you want to use a completely different domain name, you need to install a separate certificate for it, even though the domain is mapped to your original site.

      I hope that clarifies things for you. Let me know if you have anymore questions.

      Cheers,

      Jenni

      Greg

      Hey,

      I would love a followup to @twicealive as well. I resorted to a positive sll multi-domain to test as I kept hearing that the wildcard would only work of actual subdomains (and not the domains that are mapped to the subdomains). I would, however, welcome a confirmation along with steps for wildcard ssl on WordPress multisite myself as well (which would work with mapped domains). That would just be awesome! I can not find clear answers on this anywhere (but there is plenty of conflicting opinions).

      Looking forward to hopefully getting some further exchange on it . . .

      :)

      Jenni McKinnon

      Hey twicealive and Greg,

      Yeah, I can clarify and confirm this info for you. In order to install multiple, separate SSL certificates within the same network, you would need to use a Server Name Indication (SNI) so you can use multiple certificates on a single IP address.

      A wildcard domain would only be good for sub-domains.

      Let me know if you have anymore questions.

      Cheers,

      Jenni

      Jenni McKinnon

      Hey Stephen,

      Yeah, I can help you out with this. Here are my answers:

      1. You could do this, but the SSL would only work on one of those domains, not both. As I mentioned in some of my replies above, the other comments, it’s possible to use a Server Name Indication (SNI) so you can use multiple SSL certificates for one IP address.

      2. Yes, you could absolutely do this, but there’s usually a limit to how many sub-domains can be added under the one certificate.

      If you have anymore questions, just ask. :)

      Cheers,

      Jenni

    Jaime

    I had done this using a wildcard cert and then used a certificate for each mapped domain. Everything was working fine until an update with cPanel messed the whole thing up and now I can only use one cert for some reason. I’ve never found a way to get it working again. I can either use the wildcard and protect the subdomains and not have the mapped domains protected or use the cert for the mapped domain and not have the backend of the network protected.

    I ended up resolving the issue using a multidomain ssl cert. It is a PITA as I have to reinstall the certificate to every domain every time I reissue and add a new domain to the certificate. It also means having to add 2 more SAN’s to the certificate with each new site. Meaning I can run around 50 websites per certificate as I have to add the subdomain and the mapped domain I will be using.

    Still looking for a better way of doing this, but it works in the meantime and I need it protected since these are eCommerce sites.

    Alley Oop

    Hi there, thanks a lot for this interesting post !

    I tried to follow all the steps for my multisite and, when it works fine for my main domain, I face a problem of looping for a mapped domain. Let me explain better..

    In the configuration of the plugin (domain mapping, at network level), I set up to force https in front-end pages. The result is that for my main domain name, when I enter http://www.mymaindomain.com, it redirects well to https://www.mymaindomain.com. Great !

    But then I’ve got another domain name (let’s say myseconddomain.com) mapped to one of the blogs of that multisite installation. The mapping is done so that it is always that second domain name that is used. In the main config (of domain mapping, at network level), I activated “Allow site admins to set https-forced URLs”. And in the blog level configuration, I entered that second domain name (http://www.myseconddomain.com) in the field “Add page urls below to force https:”. This should then force the redirection to https://www.myseconddomain.com.

    The problem I am facing is that it is like if there were two opposite redirection at the same time. One is trying to redirect to https and another one (already in place but I don’t know how) is trying to move to normal http. And it ends up to an error : “www.myseconddomain.com redirected you too many times.”

    What I am then trying to understand is what is causing that redirection to http???

    If I remove all what I just configured to move to https and I type https://www.myseconddomain.com in the browser, it redirects to http://www.myseconddomain.com… This is well the problem!!!

    Could that be caused by domain mapping? Or by another plugin (but I can’t see which one)? Or in the .htaccess (but I already checked and it dosen’t seem so)?

    Can someone have a look at this?

    That second domain name for which I am struggling is actually “auberge3fontaines.be”. You can try to go to https://www.auberge3fontaines.be and you’ll see the redirection to normal http..

    Thanks a lot for your help!
    Simon

    CBO

    My webhost has a control panel set up for installing Let’s Encrypt certs. Using that, I installed a certificate for a mapped subdirectory (mainsite.com/subsite mapped to http://www.subsite.com), but I got a message saying the certificate wasn’t registered to that name. I wondered if it needed to be issued to mainsite/com/subsite. Would it have cleared that up if I had gone into the Domain Mapping plugin for subsite.com and set it to https, or force https?

    And what can be done about it breaking external links? Can a redirect be set up for the site, from http to https? Or would they need to be set up for each page/post/image?

      Tyler Postle

      Hey CBO, you would need it to be issued to the mapped domain, so subsite.com in your case – unless users were still able to access the subsite from the original domain then you would need both mainsite.com and subsite.com to be issued an SSL. This could get a bit tricky as you can usually only have one SSL cert per virtualhost; however, using SNI you can do two: https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm

      Ask your host if you’re unsure about that would be server side config.

      As for redirecting from http to https, yes you can do this in the Domain Mapping settings, when you map the domain there will be an option to choose the prefix – in your case you would want https. You can click the “key” symbol beside the mapped domain to toggle between forced http, forced https, or nothing forced.

      If you have any further issues with this then please create a support ticket with us here: https://premium.wpmudev.org/forums/#question – then we can have a closer look and investigate further :)

Comments are closed.