[unisog] certificates with subjectAltName

Barry Lynam b.lynam at qut.edu.au
Thu Jun 5 05:37:16 GMT 2008 

Hi,

We¹ve not seen any problems with subjectAltNames outside of ensuring we know
how to generate the request (and that isn¹t hard), and some problems with
Nokia phones, exchange and chained certificate authorities.

(Chained certificate authorities are a big issue for us, on the server
side.)

Barry Lynam


On 3/06/08 9:12 PM, "Chris Edwards" <chris at eng.gla.ac.uk> wrote:

> Hi,
> 
> We have a requirement to host around 20 HTTPS websites on a single server.
> 
> General wisdom is that HTTPS and name-based virtual hosts don't mix, as
> the server generally doesn't know which website is involved at the point
> it must present the cert.  Catch-22.  So, we'll probably end up doing
> IP-based virtual hosting, creating 20 IP addresses on the server (and
> another 20 on the DR server...).  However, we've also been looking to see
> if any there's any viable methods to avoid this...
> 
> One possibility might be "Server Name Indication" (RFC3546).  However this
> appears not widely supported at present.
> 
> A more realistic option appears to be the Subject Alternative Name
> (subjectAltName) certificate extension.  It appears we can get a single
> certificate which includes all the necessary hostnames, and serve it up
> from a regular name-based virtual host apache setup.  Since this cert
> validates all the websites, we'd simply serve it up in response to ALL
> requests, thus avoiding the catch-22.
> 
> I can see this method would be no use for ISPs, as certificates are
> generally obtained independently by individual ISP customers, who know
> nothing of the other customers hosted on the same server.  However, in our
> case, all the virtual websites are under the same management, and we know
> all the names in advance.  So this method looks plausible in our situation.
> 
> Has anyone ever done this in production ?  I'm mostly interested to know
> about the level of web browser support for subjectAltName.  Asking google
> seems to give a mixture of "all current browsers support it" and "most
> recent browsers support it", with the latter being a little less
> encouraging, as accessibility of the sites will be important to us.
> 
> Thanks for any clue!
> 
> --
> Chris Edwards
> IT Security, Computing Service
> University of Glasgow, charity number SC004401
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog
> 

--
Barry Lynam | Manager, IT Security | IT Services | QUT
Phone: +61 7 3138 9408 | Fax: +61 7 3138 2921
Postal: Level 12, 126 Margaret St | GPO Box 2434 | Brisbane QLD 4001 |
AUSTRALIA
Email: b.lynam at qut.edu.au | http://www.qut.edu.au/security/
CRICOS No 00213J   


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.sans.org/pipermail/unisog/attachments/20080605/9e4407b9/attachment.htm 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2141 bytes
Desc: not available
Url : http://lists.sans.org/pipermail/unisog/attachments/20080605/9e4407b9/attachment.bin

More information about the unisog mailing list