A Day in the Life of #Apache
Subject:   Hmm. Perhaps I'm mistaken
Date:   2005-03-04 03:23:47
From:   Rich Bowen
Response to: Hmm. Perhaps I'm mistaken

The issue with wildcard SSL certs has always been one of browser support. And, it turns out, I was somewhat misinformed. It appears that all the latest versions of all the major browsers support wilcard certs, with one caveat.

Internet Explorer 6 only recognized one level of naming for the wildcard. That is, * will match, but will not match

And, of course, if you're not making the certs yourself, wildcard certs are considerably more expensive than regular ones.

Sorry for the misinformation.

Main Topics Newest First

Showing messages 1 through 1 of 1.

  • Hmm. Perhaps I'm mistaken
    2005-03-04 14:08:54  CraigBuchek [View]

    According to the RFC (2818 section 3.1, 4th paragraph), user agents are not supposed to accept more than 1 level of names.

    However, it also says that "more than one dNSName name" may be contained within a certificate, and "a match in any one of the set is considered acceptable". So that would seem to be the proper way to include multiple names in a single SSL certificate. However, I doubt that any browsers support that, or certificate generators for that matter. I could be wrong, but I couldn't find anything in Google on it.