Currently the different browsers, servers and CA´s all implement different and incompatible ways to use SSL certificates for several VHosts on the same server.

The VHost SSL Taskforce tries to find an agreement between those ways, and publish that as an RFC afterwards, so that all the software vendors can agree on one way.

1. Way: SubjectAltName

> Hi Eric,
>
> I would like to know your position regarding Multiple SSL/TLS Vhosts on the
> same machine with the same IP Adress. (Name-based).
>
> In RFC 2818 you have written:
>
>    Matching is performed using the matching rules specified by
>    [RFC2459].  If more than one identity of a given type is present in
>    the certificate (e.g., more than one dNSName name, a match in any one
>    of the set is considered acceptable.) Names may contain the wildcard
>    character * which is considered to match any single domain name
>    component or component fragment. E.g., *.a.com matches foo.a.com but
>    not bar.foo.a.com. f*.com matches foo.com but not bar.com.
>
> I would interpret it as if the solution for the problem is to have several
> identities (dNSName lines) in one certificate for the different DNS Names,
> and that the Browser has to accept any of them:
>
> dNSName: www.customer1.at
> dNSName: www.customer2.com
> dNSName: www.customer3.de
>
> Is that a correct interpretation?

That's certainly one possibility, and it's the only one that will
work with Name Based Virtual Hosts without the domain name extension
(not yet widely deployed)

How can I generate a certificate for that?

Add the following into your openssl.cnf:

[ req_distinguished_name ]
0.subjectAltName                =Alternativer Name 1
0.subjectAltName_default        =DNS:www.welservice.com
1.subjectAltName                =Alternativer Name 2
1.subjectAltName_default        =DNS:sig.cacert.at

How does such a certificate look like?

Host: 83.133.126.31 (provided by nox) [https://host1.way1.vhosts.cacert.org/] [https://host2.way1.vhosts.cacert.org/]

2. Way: Multiple CommonName´s in the same certificate

How can I generate a certificate for that?

Add the following into your openssl.cnf:

[ req_distinguished_name ]
0.commonName                    = Common Name (eg, YOUR name)
0.commonName_default            = www.domain1.com
0.commonName_max                        = 64
1.commonName                    = Common Name (eg, YOUR name)
1.commonName_default            = www.domain2.org
1.commonName_max                        = 64

How does such a certificate look like?

openssl x509 -in server.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 63209 (0xf6e9)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
        Validity
            Not Before: Mar  6 03:06:42 2005 GMT
            Not After : Mar  6 03:06:42 2007 GMT
        Subject: CN=www.domain1.com, CN=www.domain2.com

3. Way: Regular Expressions as CommonName: (www|mail).futureware.at

4. Way: Multiple certificates in the certificate chain/graph

5. Way: TLS "server name indication".

Interoperability Test

Vendor/App

SubjectAltName

Several CN´s

Regexp

Several Cert

TLSserverNam

Testsystem1

[https://host1.way1.vhosts.cacert.org/ Host1/1]

[https://host1.way2.vhosts.cacert.org/ Host1/2]

[https://host1.way3.vhosts.cacert.org/ Host1/3]

[https://host1.way4.vhosts.cacert.org/ Host1/4]

[https://host1.way5.vhosts.cacert.org/ Host1/5]

Testsystem2

[https://host2.way1.vhosts.cacert.org/ Host2/1]

[https://host2.way2.vhosts.cacert.org/ Host2/2]

[https://host2.way3.vhosts.cacert.org/ Host2/3]

[https://host2.way4.vhosts.cacert.org/ Host2/4]

[https://host2.way5.vhosts.cacert.org/ Host2/5]

CAcert

Yes

Yes

No

Firefox

No

No

Yes

Konqueror

Yes

Yes

No

IE

Yes

Yes

No

Opera

Safari