A couple points on your proposed configuration: 1) Your proposed setup would, indeed, work. 2) The same private key would be on both systems. If one of the systems is compromised, the cert will need to be revoked and new keys generated. 3) StartCom Ltd (http://www.startcom.org/) has no-fee SSL certificate issuance, which would reduce the fiscal outlay. (StartCom is recognized by Firefox 2.x and 3.x, as well as being part of Microsoft's and Apple's root certificate programs. I believe they're also recognized by Opera, but I don't use it so can't truly speak for it.)
To mitigate #2 (and in light of the reduction of fiscal outlay suggested by #3), I'd suggest the following: host1's subjectAlternativeName should include 'www1.domain.com', 'www.domain.com', and 'domain.com'. host2's subjectAlternativeName should include 'www2.domain.com', 'www.domain.com', and 'domain.com'. Other than this, I can't really see any issues with your proposed config. -Kyle H On Sat, Dec 13, 2008 at 10:03 AM, Tom Worster <f...@thefsb.org> wrote: > i about to buy a signed cert for the first time to use on a web server. > there seems to be a few possibilities so i'd like to ask about them. > > i have two hosts for redundancy. each has apache/modssl and two vhosts: one > for http and the other for https. i want users to be able to reach the https > vhosts via multiple host names, thus: > > host one is configured with servername=www1.domain.com with two aliases: > domain.com and www.domain.com. > > host two has servername=www2.domain.com with the same two aliases as host > one. > > i only use ssl for encryption of passwords; server auth is not very > important and there's no money in the transactions. my goal is to eliminate > all web browser cert/security warnings while keeping passwords private. > > so i figured i'd buy one "Go Daddy Standard SSL Multiple Domain (UCC)" cert > and install it on both hosts. the cert has all four host names in it > (domain.com, www.domain.com, www1.domain.com, and www2.domain.com). > > i'd be really grateful if y'all could point out any flaws in my > understanding and approach to cofiguration. > > tom > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
