Oliver Welter wrote: >> There is another alternative: Use one single certificate with multiple >> DNS Subject Alternative Names. That way you can have as many SSL >> vhosts on one single port as you like.
> But current browsers dont support this and will bring an alert that the > DOmain does not match the certificate ! > (At least when I tried this some month ago I had the issue with IE and FF) This must be a long time ago ;) IE and FF support this IE supports it even longer in this case then FF. Therefore it should be quite safe at to do this the moment. Of course one should test it before using it. If somebody wants to test his/her browsers you can do this here: https://spi.tu-ilmenau.de/ https://www.spi.tu-ilmenau.de/ same certificate, in this case different SANs are used, including one which only contains https://spi/ for fast internal access, you can't test remotly... another example you may find here: https://www.datenschleuder.org https://dalini.datenschleuder.org https://pki.datenschleuder.org https://www.fuekw.de this uses a combination of cn: *.datenschleuder.org so all thirdlevel domains are accepted by the webbrowsers (note: fourthlevel domains would not work with that!) and the san field in the certificate where different domains are included this is all running at the same server, port and ip address of course you will get an error-message becouse of the missing root-ca for testing purposes you may get them here: first testcase: http://pki.fem.tu-ilmenau.de/operating/004/pub/pub/cacert/cacert.crt second testcase: http://pki.datenschleuder.org/operating/ds-ca002/pub/pub/cacert/cacert.crt the main-problem so far is - most browser don't show you the SAN section, or like FF only in hex... which isn't really helpful - so its difficult to confirm whats going on as a 'simple' user... 'the funny' thing about this topic is, in the RFCs the SAN is the primary source for FQDN and IP compairison and the CN is only the fall-back option, so from RFC point of view one could write "Webserver of Datenschleuder Organisation" in the cn and no FQDN at all... and this works with FF and IE if in the SAN section are the right values available, but like mentioned you can't check this with the browsers certificate tools unfortunalty... what is in the SAN :/ happy testing ;) greetings dalini ------------------------------------------------------- SF.Net email is sponsored by: Tame your development challenges with Apache's Geronimo App Server. Download it for free - -and be entered to win a 42" plasma tv or your very own Sony(tm)PSP. Click here to play: http://sourceforge.net/geronimo.php _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
