[unisog] certificates with subjectAltName

[Chris Edwards]

Hi,

We have a requirement to host around 20 HTTPS websites on a single server.

General wisdom is that HTTPS and name-based virtual hosts don't mix, as 
the server generally doesn't know which website is involved at the point 
it must present the cert.  Catch-22.  So, we'll probably end up doing 
IP-based virtual hosting, creating 20 IP addresses on the server (and 
another 20 on the DR server...).  However, we've also been looking to see 
if any there's any viable methods to avoid this...

One possibility might be "Server Name Indication" (RFC3546).  However this 
appears not widely supported at present.

A more realistic option appears to be the Subject Alternative Name 
(subjectAltName) certificate extension.  It appears we can get a single 
certificate which includes all the necessary hostnames, and serve it up 
from a regular name-based virtual host apache setup.  Since this cert 
validates all the websites, we'd simply serve it up in response to ALL 
requests, thus avoiding the catch-22.

I can see this method would be no use for ISPs, as certificates are 
generally obtained independently by individual ISP customers, who know 
nothing of the other customers hosted on the same server.  However, in our 
case, all the virtual websites are under the same management, and we know 
all the names in advance.  So this method looks plausible in our situation.

Has anyone ever done this in production ?  I'm mostly interested to know 
about the level of web browser support for subjectAltName.  Asking google 
seems to give a mixture of "all current browsers support it" and "most 
recent browsers support it", with the latter being a little less 
encouraging, as accessibility of the sites will be important to us.

Thanks for any clue!

-- 
Chris Edwards
IT Security, Computing Service
University of Glasgow, charity number SC004401