Article:		A Day in the Life of #Apache
Subject:		Hmm. Perhaps I'm mistaken
Date:		2005-03-04 03:23:47
From:		Rich Bowen
Response to: Hmm. Perhaps I'm mistaken
The issue with wildcard SSL certs has always been one of browser support. And, it turns out, I was somewhat misinformed. It appears that all the latest versions of all the major browsers support wilcard certs, with one caveat. Internet Explorer 6 only recognized one level of naming for the wildcard. That is, *.example.com will match www.example.com, but will not match www.monkeys.example.com And, of course, if you're not making the certs yourself, wildcard certs are considerably more expensive than regular ones. Sorry for the misinformation.

Showing messages 1 through 3 of 3.

• Hmm. Perhaps I'm mistaken
  2005-03-04 14:08:54  CraigBuchek [View]
  
  
  According to the RFC (2818 section 3.1, 4th paragraph), user agents are not supposed to accept more than 1 level of names.
  

  
  However, it also says that "more than one dNSName name" may be contained within a certificate, and "a match in any one of the set is considered acceptable". So that would seem to be the proper way to include multiple names in a single SSL certificate. However, I doubt that any browsers support that, or certificate generators for that matter. I could be wrong, but I couldn't find anything in Google on it.

• Hmm. Perhaps I'm mistaken
  2005-03-22 13:24:17  Frank-van-Beek [View]
  
  
  I might have found a solution.
  
  On this page http://wiki.cacert.org/wiki/VhostTaskForce a couple of solutions are listed.
  
  By combining solutions #2 and #3 I was able to have multiple domains in one certificate. See the combined solution #4 on the same page. It's supported by most mayor browsers.
  
  
• Hmm. Perhaps I'm mistaken
  2005-08-17 09:33:07  ErikBrooks [View]
  
  
  Would you mind sharing which CA service you used and how many domains your certificate has? I am considering using this approach but would need ~20-30 domains included.