A Day in the Life of #Apache
Subject:   Hmm. Perhaps I'm mistaken
Date:   2005-02-23 14:56:16
From:   Rich Bowen
I could very well be mistaken. I'll investigate the issue of wildcard certs more thoroughly. I was under the impression that support for them was spotty.


Full Threads Oldest First

Showing messages 1 through 4 of 4.

  • Hmm. Perhaps I'm mistaken
    2005-03-04 03:23:47  Rich Bowen | O'Reilly Author [View]

    The issue with wildcard SSL certs has always been one of browser support. And, it turns out, I was somewhat misinformed. It appears that all the latest versions of all the major browsers support wilcard certs, with one caveat.

    Internet Explorer 6 only recognized one level of naming for the wildcard. That is, * will match, but will not match

    And, of course, if you're not making the certs yourself, wildcard certs are considerably more expensive than regular ones.

    Sorry for the misinformation.
    • Hmm. Perhaps I'm mistaken
      2005-03-04 14:08:54  CraigBuchek [View]

      According to the RFC (2818 section 3.1, 4th paragraph), user agents are not supposed to accept more than 1 level of names.

      However, it also says that "more than one dNSName name" may be contained within a certificate, and "a match in any one of the set is considered acceptable". So that would seem to be the proper way to include multiple names in a single SSL certificate. However, I doubt that any browsers support that, or certificate generators for that matter. I could be wrong, but I couldn't find anything in Google on it.

      • Hmm. Perhaps I'm mistaken
        2005-03-22 13:24:17  Frank-van-Beek [View]

        I might have found a solution.

        On this page a couple of solutions are listed.

        By combining solutions #2 and #3 I was able to have multiple domains in one certificate. See the combined solution #4 on the same page. It's supported by most mayor browsers.

        • Hmm. Perhaps I'm mistaken
          2005-08-17 09:33:07  ErikBrooks [View]

          Would you mind sharing which CA service you used and how many domains your certificate has? I am considering using this approach but would need ~20-30 domains included.