[unisog] certificates with subjectAltName

Aaron Bliss abliss at brockport.edu
Wed Jun 4 16:34:14 GMT 2008 

Chris,
We use certificates with subject alternative names for instances that 
you just described.  Running on a few IIS and Apache servers, works like 
a charm without any browser warnings.  We didn't have to make any 
changes in order to natively support IE 6 and above, Firefox 2 and 
above, safari, opera and konq. work as well.

Aaron

Chris Edwards wrote:
> Hi,
>
> We have a requirement to host around 20 HTTPS websites on a single server.
>
> General wisdom is that HTTPS and name-based virtual hosts don't mix, as 
> the server generally doesn't know which website is involved at the point 
> it must present the cert.  Catch-22.  So, we'll probably end up doing 
> IP-based virtual hosting, creating 20 IP addresses on the server (and 
> another 20 on the DR server...).  However, we've also been looking to see 
> if any there's any viable methods to avoid this...
>
> One possibility might be "Server Name Indication" (RFC3546).  However this 
> appears not widely supported at present.
>
> A more realistic option appears to be the Subject Alternative Name 
> (subjectAltName) certificate extension.  It appears we can get a single 
> certificate which includes all the necessary hostnames, and serve it up 
> from a regular name-based virtual host apache setup.  Since this cert 
> validates all the websites, we'd simply serve it up in response to ALL 
> requests, thus avoiding the catch-22.
>
> I can see this method would be no use for ISPs, as certificates are 
> generally obtained independently by individual ISP customers, who know 
> nothing of the other customers hosted on the same server.  However, in our 
> case, all the virtual websites are under the same management, and we know 
> all the names in advance.  So this method looks plausible in our situation.
>
> Has anyone ever done this in production ?  I'm mostly interested to know 
> about the level of web browser support for subjectAltName.  Asking google 
> seems to give a mixture of "all current browsers support it" and "most 
> recent browsers support it", with the latter being a little less 
> encouraging, as accessibility of the sites will be important to us.
>
> Thanks for any clue!
>
>   

-- 
Aaron Bliss
Systems Administrator
SUNY Brockport
(585) 395-2417

More information about the unisog mailing list