I’m pleased to announce that we finally worked out the correct way to not only issue certificate requests with subjectAltName (SAN) extensions, but have certificates issued with the correct SAN extensions and this is important for a number of reasons. The reason it took so long to actually get this implemented correctly was due to the poor and misleading documentation for OpenSSL on the topic, as well as the fact that the proper extension in the RFC is dNSName and OpenSSL implemented it in configuration as DNS instead.
It would seem at first glance both MSIE and Firefox both support SANs correctly, so this means you can have multiple host names, even from completely separate domains and it will simply just work. We’re still working on setting up hosts for a full compliment of browser testing, but you’d have to assume other browsers for the most part should also support this feature.
The other thing of note is multiple commonNames are ignored on certificates, only the first one is accepted and used, so if you want to do anything other then wild cards, this is a tad limiting. Someone also sent me a short perl script that can be used to easily generate valid certificate requests with SAN extensions. I’m also contemplating ignoring multiple commonNames and just issuing certificates for the primary commonName, the commonName is ignored if any valid SAN extensions are on the certificate are present, so if you want to include the host you also have in the commonName this has to be also listed as a SAN (and I’m sure this will catch a few people out).
While this is useful for a single website with SSL, we’re not sure if apache or other server software will allow multiple vhost entries to share the same certificate and do all the handshaking properly, and neither apache nor mozilla browsers implement/use the TLS handshaking ability to utilise multiple certificates from multiple vhost entries. It’s also highly useful for mail servers that are known by multiple host names, such as having an interface on the inside of a corporate network, and also having an external interface.
We’ll keep our wiki page on this up to date as we learn more, or as new code gets added to browsers etc…
Good work Duane and co,
Does this sort out the issue of certs issued for vhost.example.com not working on http://www.vhost.example.com?
mod_gnutls aims to support TLS in Apache. If successful, it may well replace mod_ssl.
ben: it means I can have a certificate with cacert.org, *.cacert.org, cacert.net, *.cacert.net, cacert.com and *.cacert.com and it will all just simply work no matter which host name they connect to…