Kevin Murphy schrieb:
I came accross a couple "howto" articles for setting up one certificate that
will cover all virtual hosts on a web server... one static IP, one
certificate, multiple sites, lots of saved money!
One post did this using gnutls,
The articles both use the TLS Extension for Server Name Indication.
This is probably the best way, but afaik it is still not implemented in
all programs and I have never used it myself.
The more traditional solution is to use the subjectAltName extension in
your certificate. That means you set up multiple VHosts on one IP/Port
using one certificate.
Inside this certificate all hostnames are listed as subjectAltName
entries. (The same approach as mentioned by Sergio, but it is not
limited to wildcards.) To set this field you add a line to your
openssl.conf, like this:
subjectAltName = IP:10.1.2.3, DNS:www.example.net, DNS:mail.example.org,
DNS:*.pool.example.org
CACert has a wiki page about this:
http://wiki.cacert.org/wiki/VhostTaskForce
Problems with this approach: it is not easy to change the hostnames
(always requires a new certificate) and by looking at the certificate
you can see who is sharing the server. That's usually not a problem if
you're hosting your personal and a LUG domain, but it's not suitable for
a large commercial Webhoster.
--
Martin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
