Forum Index Search Forum Register Log in

Runs on XP to Win 10

Current

Download 7.0

Download 7.1 Beta5 upgrade



A donation makes a contribution towards the time and effort that's going in to running this site.

Steffen

Contact:
My mail address is
at the top of the paypal form :

Your donations will help to keep this site alive and well.


Update your links !! November 2016 the forum is at www.apachelounge.com/sambar

In the forum there are links to sambarserver.info,
replace "sambarserver.info" with "apachelounge.com/sambar"
OpenSSL CERT - Multiple Domains (Common Names) in one CERT

 
Post new topic   Reply to topic    Sambar Forum Index -> How-to's & Documentation & Tips
View previous topic :: View next topic  
Author Message
gilbertv



Joined: 11 Jun 2004
Posts: 35

PostPosted: Mon 12 Feb '07 6:16    Post subject: OpenSSL CERT - Multiple Domains (Common Names) in one CERT Reply with quote

This issue has been in the How-To's for a while and it seems is not complete:
www.apachelounge.com/sambar/viewtopic.php?t=4

I'm not sure anyone has had much success creating Multiple VHost SSL Certs, as I have tried over and over again, yet it does not seem to work very well, or good as I had anticipated. Although following the example in another How-To:
www.apachelounge.com/sambar/viewtopic.php?t=7 (see quote below), this approach seems not to take full or proper advantage of the x509 version 3 standard.

Quote:
In the past, several people (including myself) have asked for a way to get Sambar Server to support multiple SSL certs, for servers that host more than one domain. But it turns out that SSL (x509 version 3, specifically), has built-in support for multiple domains per certifcate!!

Just add the following line to your config/openssl.cnf file, in the [ v3_ca ] section:

subjectAltName = DNS:http://www.test.com,DNS:*.kensystem.com,DNS:*.etc.com

This line adds additional domains that browsers will validate a certificate against. Note the comma-separated-list format ; it allows you to add as many for few as you want. As in the example, you can also use wild card certs.

You need to re-create your certificate after adding that line to openssl.cnf, put the cert into your config/ dir, then restart your server.


I've verified that all modern browsers support this; Mozilla, Firebird, Safari, & IE. Theoretically, older software that uses SSL (email clients, etc) may not have support for this feature. It also does not provide a distinct cert based on IP address (the contemporary ssl binding method), but that's probably not going to be a problem for most of us.

Cheers,

ken


In my approach I found the following as the best solution for my purposes, as the Cert does not return any warnings after the Cert is installed initially, and any VHOST, Mydomain.Com, Myotherdomain.Com will load properly:

Multiple CommonName´s in the same certificate

How can I generate a certificate for that?
Add the following into your openssl.cnf:

[ req_distinguished_name ]
0.commonName = Common Name (eg, YOUR name)
0.commonName_default = www.domain1.com
0.commonName_max = 64
1.commonName = Common Name (eg, YOUR name)
1.commonName_default = www.domain2.org
1.commonName_max =64
2.commonName = Common Name (eg, YOUR name)
2.commonName_default = shop.domain1.com (only an example of subdomain added to ssl cert)
2.commonName_max = 64
3.commonName = Common Name (eg, YOUR name)
3.commonName_default = My Secure Internet Services (example)
3.commonName_max = 64


How does such a certificate look like?

openssl x509 -in server.crt -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 63209 (0xf6e9)
Signature Algorithm: md5WithRSAEncryption
Issuer: O=Root CA, OU=http://www.cacert.org, CN=CA Cert Signing Authority/emailAddress=support@cacert.org
Validity
Not Before: Mar 6 03:06:42 2005 GMT
Not After : Mar 6 03:06:42 2007 GMT
Subject: CN=www.domain1.com, CN=www.domain2.com
----------------------

Save the Openssl.Cnf file

1 Note: When running Make-ssl batch file you do not need to enter any information for common names as the domain name will appear in brackets (to the left) already set as default. Just hit the enter key and proceed to next step after the last common name.

2. The last example: My Secure Internet Services is a generic name is also the last entry purposely. This is because I do not want any other domains to appear on the cert other than my business. The other domains will be included internally in the certificate.

So when a visitor goes to https://www.mydomain.com he/she will see a cert that needs to be installed with the name My Secure Internet Services instead of a cert with MyOtherDomainName.Com.

Hope this helps.

Please check the following source for complete article:
http://wiki.cacert.org/wiki/VhostTaskForce#head-661e90855b6b4285bbab272390bf7bbd639ed5d9


Gilbert Vargas
Back to top
View user's profile
gilbertv



Joined: 11 Jun 2004
Posts: 35

PostPosted: Mon 12 Feb '07 6:26    Post subject: Reply with quote

Forgot to mention a basic step: Shut down Sambar Server, then restart. This will load the new cert.

GV
Back to top
View user's profile
holziusa



Joined: 08 Jun 2004
Posts: 221
Location: thanks4yourfeedback, donate to this site!!

PostPosted: Sat 21 Apr '07 22:59    Post subject: Reply with quote

hi gilbertv, grt info

in addition to the above,

www.server.com
mail.server.com
anyvhost.server.com

can be replaced by using this: *.server.com

drawback: one can easily see the association among different vhosts,
not ideal in respect to anonymity.

is there a solution for vhost/ssl seperation??


(-:
Back to top
View user's profile
holziusa



Joined: 08 Jun 2004
Posts: 221
Location: thanks4yourfeedback, donate to this site!!

PostPosted: Mon 23 Apr '07 6:44    Post subject: Reply with quote

fyi:
if you use this as your last entry, it will kill the error in firefox 2.0

"commonName = *
commonName_default = *
commonName_max = 64"
Back to top
View user's profile
hanifnoor



Joined: 13 Dec 2014
Posts: 1
Location: pakistan

PostPosted: Sat 13 Dec '14 9:15    Post subject: Reply with quote

one can easily see the association among different vhosts,
not ideal in respect to anonymity.


is there a solution for vhost/ssl seperation??
Back to top
View user's profile

Post new topic   Reply to topic    Sambar Forum Index -> How-to's & Documentation & Tips
Page 1 of 1