Tom Worster wrote:
kyle, thank you for your comments. that's very helpful.
i'm unsure now which name to use as common name and which names to put in
subjectAlternativeName. what are the considerations?
thanks for mentioning startcom. i looked at them a few weeks ago but
couldn't determine if their certs would make my users' security warnings go
away. but now i'm going to experiment with startcom and see what happens.
On 12/14/08 11:12 AM, "Kyle Hamilton" <aerow...@gmail.com> wrote:
A couple points on your proposed configuration:
1) Your proposed setup would, indeed, work.
2) The same private key would be on both systems. If one of the
systems is compromised, the cert will need to be revoked and new keys
generated.
3) StartCom Ltd (http://www.startcom.org/) has no-fee SSL certificate
issuance, which would reduce the fiscal outlay. (StartCom is
recognized by Firefox 2.x and 3.x, as well as being part of
Microsoft's and Apple's root certificate programs. I believe they're
also recognized by Opera, but I don't use it so can't truly speak for
it.)
To mitigate #2 (and in light of the reduction of fiscal outlay
suggested by #3), I'd suggest the following:
host1's subjectAlternativeName should include 'www1.domain.com',
'www.domain.com', and 'domain.com'.
host2's subjectAlternativeName should include 'www2.domain.com',
'www.domain.com', and 'domain.com'.
Other than this, I can't really see any issues with your proposed config.
-Kyle H
I keep a lookout for truly free AND integrated SSL certificates. The
main sticking point with that company is IE. They ARE NOT in the root
certificate store in IE.* They ARE in the root certificate store in
Firefox and Safari.
http://cert.startcom.org/
* I went to Windows Update and there was an update to the Root Certs. I
updated and the cert. still does not exist in my Root Certificate Store.
So, I'm pretty sure they either aren't in the program or Microsoft
doesn't care enough to deploy their cert.
A free cert. in IE/Windows Root Certs. would completely change the SSL
cert. game. Companies like Verisign would be FORCED to stop their price
gouging for SSL certs. I see no logical reason to pay $500 for a couple
KB of data...annually.
--
Thomas Hruska
Shining Light Productions
Home of BMP2AVI, Nuclear Vision, ProtoNova, and Win32 OpenSSL.
http://www.slproweb.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
