Multiple certs on one server (was: Re: Firefox says Peer's Certificate has been revoked)
David Newman
dnewman at networktest.com
Wed Dec 22 08:18:37 MSK 2010
On 12/20/2010 05:03 PM, David J. wrote:
> On the topic of SSL;
>
> Is there any possible way to run multiple certs on one IP?
>
> I dont think this is possible as per the SPEC; But I am not an expert.
Me neither, but there's nothing wrong with this. The CN in a cert is
bound to a string such as a hostname, not to an IP address. (The string
could also be someone's name, or any other text, including an IP address
-- but as a text string). SSL works above the network layer and doesn't
care about L3 addressing.
So, if you've got multiple virtual hosts on a single IP address, you
have a couple of choices:
a. Use one cert per virtual host
b. Use one cert for all virtual hosts and chain them using the
subjectAltName parameter in openssl.cnf. This is what I did on the
server in the original post in this thread.
Here's a thread from a few years ago when I was getting (b) set up:
http://readlist.com/lists/openssl.org/openssl-users/0/4040.html
You can buy chained certs that do this from multiple registrars; I got
one from GoDaddy but concur with others' description about the GD web site.
dn
More information about the nginx
mailing list