[unisog] certificates with subjectAltName

Frank Bulk - iNAME frnkblk at iname.com
Fri Jun 6 03:29:19 GMT 2008 

We use this approach successfully for our Microsoft Exchange 2007 setup.
Google for "Unified Communications Certificates" to see what's out there.

Frank

-----Original Message-----
From: unisog-bounces at lists.dshield.org
[mailto:unisog-bounces at lists.dshield.org] On Behalf Of Chris Edwards
Sent: Tuesday, June 03, 2008 6:12 AM
To: unisog at lists.dshield.org
Subject: [unisog] certificates with subjectAltName

Hi,

We have a requirement to host around 20 HTTPS websites on a single server.

General wisdom is that HTTPS and name-based virtual hosts don't mix, as
the server generally doesn't know which website is involved at the point
it must present the cert.  Catch-22.  So, we'll probably end up doing
IP-based virtual hosting, creating 20 IP addresses on the server (and
another 20 on the DR server...).  However, we've also been looking to see
if any there's any viable methods to avoid this...

One possibility might be "Server Name Indication" (RFC3546).  However this
appears not widely supported at present.

A more realistic option appears to be the Subject Alternative Name
(subjectAltName) certificate extension.  It appears we can get a single
certificate which includes all the necessary hostnames, and serve it up
from a regular name-based virtual host apache setup.  Since this cert
validates all the websites, we'd simply serve it up in response to ALL
requests, thus avoiding the catch-22.

I can see this method would be no use for ISPs, as certificates are
generally obtained independently by individual ISP customers, who know
nothing of the other customers hosted on the same server.  However, in our
case, all the virtual websites are under the same management, and we know
all the names in advance.  So this method looks plausible in our situation.

Has anyone ever done this in production ?  I'm mostly interested to know
about the level of web browser support for subjectAltName.  Asking google
seems to give a mixture of "all current browsers support it" and "most
recent browsers support it", with the latter being a little less
encouraging, as accessibility of the sites will be important to us.

Thanks for any clue!

--
Chris Edwards
IT Security, Computing Service
University of Glasgow, charity number SC004401
_______________________________________________
unisog mailing list
unisog at lists.dshield.org
https://lists.sans.org/mailman/listinfo/unisog

More information about the unisog mailing list