Kevin Murphy schrieb:
I came accross a couple "howto" articles for setting up one certificate that
will cover all virtual hosts on a web server... one static IP, one
certificate, multiple sites, lots of saved money!

One post did this using gnutls,

The articles both use the TLS Extension for Server Name Indication.
This is probably the best way, but afaik it is still not implemented in all programs and I have never used it myself.

The more traditional solution is to use the subjectAltName extension in your certificate. That means you set up multiple VHosts on one IP/Port using one certificate. Inside this certificate all hostnames are listed as subjectAltName entries. (The same approach as mentioned by Sergio, but it is not limited to wildcards.) To set this field you add a line to your openssl.conf, like this: subjectAltName = IP:10.1.2.3, DNS:www.example.net, DNS:mail.example.org, DNS:*.pool.example.org

CACert has a wiki page about this:
http://wiki.cacert.org/wiki/VhostTaskForce

Problems with this approach: it is not easy to change the hostnames (always requires a new certificate) and by looking at the certificate you can see who is sharing the server. That's usually not a problem if you're hosting your personal and a LUG domain, but it's not suitable for a large commercial Webhoster.

--
Martin

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to