Re: How to include multiple common names in a single SSL certificate?

Sat, 28 Aug 2004 06:18:13 -0700 

Charles B Cranston wrote:

> > I'm trying to set up an Apache 2 based web server for multiple
> > name based virtual hosts. As it is not possible with mod_ssl to
> > have a seperate SSL certificate file for each virtual host...
>
> Actually, you can, but they have to have separate IP addresses.
> (Requiring the server host to be multi-homed...)

As I wrote, I was talking about multiple name based (!) virtual hosts,
and the mod_ssl FAQ states that you can't have a seperate SSL cert file
for each of them <http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47>. I
know that multiple IP based virtual hosts are a different matter, but
unfortunately I only have on IP address available for the host in
question.

What I am trying to achieve is that this single host uses one cert which
includes multiple CNs, so that given the following DNS entries

  www.domain1.org.   IN A  123.234.123.234
  www.domain2.net.   IN A  123.234.123.234
  www.domain3.com.   IN A  123.234.123.234

users can access the server via

  https://www.domain1.org/
  https://www.domain2.net/
  https://www.domain3.com/

without a warning about the URL host name not matching the certificate
common name. I know that with mod_ssl all three URLs will result in the
same web page to be displayed, but that is acceptable in this special
case where a couple of domains are to mapped to one single web site.

Stephen Henson's suggestion allowed me to create and sign a certificate
including multiple CNs. Using the Internet Explorer, any of the above
URLs are accepted without a warning. With Mozilla and Mozilla Firefox,
however, only the first available CN in the certificate is matched
against the URL host name. If there is a way to alter this behaviour,
I'd be glad to hear how, but as I wrote before, there are other mailing
lists probably better suited for this matter. Of course, if you know how
to persuade Mozilla/Firefox to not display their warnings, please do
speak up here! ;-)

Ralph
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to