Joseph Shraibman wrote: > > I need to have ssl on a dynamic virtual host, i.e. a.x.com, b.x.com, c.x.com. > Mozilla doesn't have a problem if the certificate says x.com or *.x.com, > but IE does. > Is there a spec somewhere about what is legal in this regard?
http://www.rfc-editor.org/rfc/rfc2818.txt Section 3.1, says, in part: If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com. -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
