Dynamic/Wildcard SSL certificates with SNI ?

Thu Jan 15 20:13:21 UTC 2015

> Am 15.01.2015 um 20:50 schrieb Gabriel L. Somlo <gsomlo at gmail.com>:
> 
> Hi,
> 
> I'm working on a "Web simulator" designed to serve a large number of
> web sites on a private, self-contained network, where I'm also in
> control of issuing SSL certificates.
> 
> The relevant bits of my nginx.conf look like this:
> 
>    server {
>      listen 80 default_server;
>      server_name $http_host;
>      root /var/www/vservers/$http_host;
>      index index.html index.htm;
>    }
> 
>    ssl_certificate_key /var/www/vserver_certs/vserver.key;
> 
>    server {
>      listen 443 default_server;
>      ssl on;
>      ssl_certificate /var/www/vserver_certs/vserver.cer;
>      server_name $http_host;
>      root /var/www/vservers/$http_host;
>      index index_html index.htm;
>    }
> 
> 
> There is no consistency across the set of vserver host names (and
> therefore not much to be gained by using wildcards in the certificate
> common or alt name fields).

Just issue a certificate for *.*.* and always serve that.

At least, until the CAB-forum decides this is a not a good idea and stops browsers from accepting it.
I think the above certificate should still be legal, but I’m not 100% sure.