[unisog] certificates with subjectAltName
Harry Hoffman
hhoffman at ip-solutions.net
Wed Jun 4 16:00:52 GMT 2008
Hi Chris,
We do this internally and it works just fine. We've been using TinyCA to
generate and store the certificates.
Apache complains that using name based virtual hosting for SSL is a bad
idea at startup but we haven't seen any problems.
Since our CA is self-created/signed we've had to have users install the
CA. I can confirm once installed there are no issues on Windows (I.E. 6,
Opera, Firefox 2.x), Linux (Galeon, Firefox 2.x/3.x, I.E. 5.5/6.0,
Opera), Mac (Firefox 2.x).
Also, there are a few "professional" companies out there that with sign
certs with subjectAltNames for you.
Cheers,
Harry
On Tue, 2008-06-03 at 12:12 +0100, Chris Edwards wrote:
> Hi,
>
> We have a requirement to host around 20 HTTPS websites on a single server.
>
> General wisdom is that HTTPS and name-based virtual hosts don't mix, as
> the server generally doesn't know which website is involved at the point
> it must present the cert. Catch-22. So, we'll probably end up doing
> IP-based virtual hosting, creating 20 IP addresses on the server (and
> another 20 on the DR server...). However, we've also been looking to see
> if any there's any viable methods to avoid this...
>
> One possibility might be "Server Name Indication" (RFC3546). However this
> appears not widely supported at present.
>
> A more realistic option appears to be the Subject Alternative Name
> (subjectAltName) certificate extension. It appears we can get a single
> certificate which includes all the necessary hostnames, and serve it up
> from a regular name-based virtual host apache setup. Since this cert
> validates all the websites, we'd simply serve it up in response to ALL
> requests, thus avoiding the catch-22.
>
> I can see this method would be no use for ISPs, as certificates are
> generally obtained independently by individual ISP customers, who know
> nothing of the other customers hosted on the same server. However, in our
> case, all the virtual websites are under the same management, and we know
> all the names in advance. So this method looks plausible in our situation.
>
> Has anyone ever done this in production ? I'm mostly interested to know
> about the level of web browser support for subjectAltName. Asking google
> seems to give a mixture of "all current browsers support it" and "most
> recent browsers support it", with the latter being a little less
> encouraging, as accessibility of the sites will be important to us.
>
> Thanks for any clue!
>
More information about the unisog
mailing list