Wilson Tang wrote: > Hellow, > > I got a few questions : > > 1. I have a few web servers (Netscape Web Server and Apache), can I use > the same cert for them ?
It's cert and key pair that are important. As long as you can copy them around, you can use them in either server. I believe you can use PKCS #12 to do this (if your Netscape Server did not come with a PKCS #12 program, you can use the one built from mozilla sources). > > 2. I heard that there is something like "wildcard" cert, which means a > single cert is good for all sub-domain, something like *.bbq.com, it > that true ? Yes, clients accept wildcards in the CN to match the certificate. I don't know if any of the public CA's are issuing these certificates. It's obvious that their business model would discourage such certs, or charge quite a bit more for them. They can usually justify either or both actions because of the increased liability they incur to issue such certs. More typical use is if a single host had had multiple domain aliases. I have really only seen wild card certs in local PKI deployments (where the trust anchor is not a public CA). > > 3. If 2 is yes, is there any limitation of browser that can recognise > that kind of cert ? What is the lowest version of IE or Netscape > Communicator that supprot it ? All versions of Communicator. I don't know which versions of IE. > > 4. Would that impose extra loading on the browser and web server by > using this kind of cert ? No. The bigger issue is one of maintainence and control. dealing with one of these certs expiring is a bigger headache a cert with a fully qualified hostname in the CN. There is good reason that CA's worry about increased liability in this case. bob > > Thanks. > > Tang. > >
