Women in Technology

Hear us Roar



Article:
  A Day in the Life of #Apache
Subject:   Hmm. Perhaps I'm mistaken
Date:   2005-02-23 14:56:16
From:   Rich Bowen
I could very well be mistaken. I'll investigate the issue of wildcard certs more thoroughly. I was under the impression that support for them was spotty.


--Rich

Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • Hmm. Perhaps I'm mistaken
    2005-03-04 03:23:47  Rich Bowen | O'Reilly Author [View]

    The issue with wildcard SSL certs has always been one of browser support. And, it turns out, I was somewhat misinformed. It appears that all the latest versions of all the major browsers support wilcard certs, with one caveat.

    Internet Explorer 6 only recognized one level of naming for the wildcard. That is, *.example.com will match www.example.com, but will not match www.monkeys.example.com

    And, of course, if you're not making the certs yourself, wildcard certs are considerably more expensive than regular ones.

    Sorry for the misinformation.
    • Hmm. Perhaps I'm mistaken
      2005-03-04 14:08:54  CraigBuchek [View]

      According to the RFC (2818 section 3.1, 4th paragraph), user agents are not supposed to accept more than 1 level of names.


      However, it also says that "more than one dNSName name" may be contained within a certificate, and "a match in any one of the set is considered acceptable". So that would seem to be the proper way to include multiple names in a single SSL certificate. However, I doubt that any browsers support that, or certificate generators for that matter. I could be wrong, but I couldn't find anything in Google on it.

      • Hmm. Perhaps I'm mistaken
        2005-03-22 13:24:17  Frank-van-Beek [View]

        I might have found a solution.

        On this page http://wiki.cacert.org/wiki/VhostTaskForce a couple of solutions are listed.

        By combining solutions #2 and #3 I was able to have multiple domains in one certificate. See the combined solution #4 on the same page. It's supported by most mayor browsers.

        • Hmm. Perhaps I'm mistaken
          2005-08-17 09:33:07  ErikBrooks [View]

          Would you mind sharing which CA service you used and how many domains your certificate has? I am considering using this approach but would need ~20-30 domains included.