[unisog] certificates with subjectAltName

Mike Wiseman mike.wiseman at utoronto.ca
Wed Jun 4 16:14:09 GMT 2008 

I've been meaning to try one of these (I work in a central group that
resells commercial CA SSL/TLS certs to departments). The wildcard cert is
often used for this purpose but it only works for servers in a single DNS
level domain. The commercial CA we use, Comodo, sells two products that make
use of multiple DNS names in subjectAltName - one handles multiple values
(up to 100?) in subjectAltName, the other is intended to be used strictly in
a Microsoft Exchange environment (3 server DNS names). 


Mike



Mike Wiseman
Computer Security Administration
Computing and Networking Services
University of Toronto

  

> 
> Hi,
> 
> We have a requirement to host around 20 HTTPS websites on a single
> server.
> 
> General wisdom is that HTTPS and name-based virtual hosts don't mix, as
> the server generally doesn't know which website is involved at the
> point
> it must present the cert.  Catch-22.  So, we'll probably end up doing
> IP-based virtual hosting, creating 20 IP addresses on the server (and
> another 20 on the DR server...).  However, we've also been looking to
> see
> if any there's any viable methods to avoid this...
> 
> One possibility might be "Server Name Indication" (RFC3546).  However
> this
> appears not widely supported at present.
> 
> A more realistic option appears to be the Subject Alternative Name
> (subjectAltName) certificate extension.  It appears we can get a single
> certificate which includes all the necessary hostnames, and serve it up
> from a regular name-based virtual host apache setup.  Since this cert
> validates all the websites, we'd simply serve it up in response to ALL
> requests, thus avoiding the catch-22.
> 
> I can see this method would be no use for ISPs, as certificates are
> generally obtained independently by individual ISP customers, who know
> nothing of the other customers hosted on the same server.  However, in
> our
> case, all the virtual websites are under the same management, and we
> know
> all the names in advance.  So this method looks plausible in our
> situation.
> 
> Has anyone ever done this in production ?  I'm mostly interested to
> know
> about the level of web browser support for subjectAltName.  Asking
> google
> seems to give a mixture of "all current browsers support it" and "most
> recent browsers support it", with the latter being a little less
> encouraging, as accessibility of the sites will be important to us.
> 
> Thanks for any clue!
> 
> --
> Chris Edwards
> IT Security, Computing Service
> University of Glasgow, charity number SC004401
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list