How to include multiple common names in a single SSL certificate?
Ralph
I'm trying to set up an Apache 2 based web server for multiple name
based virtual hosts. As it is not possible with mod_ssl to have a
seperate SSL certificate file for each virtual host, I'd like to
create a single certificate file with multiple CN entries, i.e.:
CN #1: www.domain1.org
CN #2: www.domain2.net
CN #3: www.domain3.com
I checked the mailing list archives and found a thread mentioning
multiple CN entries, i.e. in this message by Stephen Henson:
<http://marc.theaimsgroup.com/?l=openssl-users&m=108863949314709&w=2>
However, I failed to find an example or howto-document which describes
the required actions step by step. I tried to modify openssl.cnf:
[ req_distinguished_name ]
commonName_default = www.domain1.org
0.CN=www.domain2.net
1.CN=www.domain3.com
Unfortunately, the CSR file only contains www.domain3.com as the
common name and does not mention the who other CNs at all.
Where can I find detailed information on how to include multiple
common names in a SSL certificate file? All pointers are welcome.
Thanks for your help,
Ralph
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Dr. Stephen Henson
> Hello list members,
>
> I'm trying to set up an Apache 2 based web server for multiple name
> based virtual hosts. As it is not possible with mod_ssl to have a
> seperate SSL certificate file for each virtual host, I'd like to
> create a single certificate file with multiple CN entries, i.e.:
>
> CN #1: www.domain1.org
> CN #2: www.domain2.net
> CN #3: www.domain3.com
>
> I checked the mailing list archives and found a thread mentioning
> multiple CN entries, i.e. in this message by Stephen Henson:
> <http://marc.theaimsgroup.com/?l=openssl-users&m=108863949314709&w=2>
>
> However, I failed to find an example or howto-document which describes
> the required actions step by step. I tried to modify openssl.cnf:
>
> [ req_distinguished_name ]
> commonName_default = www.domain1.org
> 0.CN=www.domain2.net
> 1.CN=www.domain3.com
>
> Unfortunately, the CSR file only contains www.domain3.com as the
> common name and does not mention the who other CNs at all.
>
> Where can I find detailed information on how to include multiple
> common names in a SSL certificate file? All pointers are welcome.
>
I've just tried something similar and get 3 CNS in the PKCS#10 certificate
request.
*However* looking through the code for the 'ca' utility seems to suggest it
will zap all but the first commonName entry with the current policy code. You
can work round that with the "preserve" config file option or the -preserveDN
command line option.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
Charles B Cranston
> Hello list members,
> I'm trying to set up an Apache 2 based web server for multiple name
> based virtual hosts. As it is not possible with mod_ssl to have a
> seperate SSL certificate file for each virtual host...
Actually, you can, but they have to have separate IP addresses.
(Requiring the server host to be multi-homed...)
This is because the software tries to put the link into secure mode
BEFORE the client can tell the server WHICH virtual host it is
looking for. Since the server doesn't know which virtual host is
being requested, it cannot select the correct certificate to present.
However, if each virtual host has a separate IP address, the server
knows which one, so it can select the specific certificate for that
particular virtual host.
So, our motto is, if you want a secure virtual host, you have to have
your own IP address.
---
Even if you could make a certificate with multiple names in it,
how do you convince Apache that it belongs to all those virtual hosts?
Can you just put it into every configuration section and have it
fall out? How does Apache even decide which configuration section
to look in?
--
Charles B (Ben) Cranston
mailto: zb...@umd.edu
http://www.wam.umd.edu/~zben
Ralph
> > I'm trying to set up an Apache 2 based web server for multiple
> > name based virtual hosts. As it is not possible with mod_ssl to
> > have a seperate SSL certificate file for each virtual host...
>
> Actually, you can, but they have to have separate IP addresses.
> (Requiring the server host to be multi-homed...)
As I wrote, I was talking about multiple name based (!) virtual hosts,
and the mod_ssl FAQ states that you can't have a seperate SSL cert file
for each of them <http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47>. I
know that multiple IP based virtual hosts are a different matter, but
unfortunately I only have on IP address available for the host in
question.
What I am trying to achieve is that this single host uses one cert which
includes multiple CNs, so that given the following DNS entries
www.domain1.org. IN A 123.234.123.234
www.domain2.net. IN A 123.234.123.234
www.domain3.com. IN A 123.234.123.234
users can access the server via
https://www.domain1.org/
https://www.domain2.net/
https://www.domain3.com/
without a warning about the URL host name not matching the certificate
common name. I know that with mod_ssl all three URLs will result in the
same web page to be displayed, but that is acceptable in this special
case where a couple of domains are to mapped to one single web site.
Stephen Henson's suggestion allowed me to create and sign a certificate
including multiple CNs. Using the Internet Explorer, any of the above
URLs are accepted without a warning. With Mozilla and Mozilla Firefox,
however, only the first available CN in the certificate is matched
against the URL host name. If there is a way to alter this behaviour,
I'd be glad to hear how, but as I wrote before, there are other mailing
lists probably better suited for this matter. Of course, if you know how
to persuade Mozilla/Firefox to not display their warnings, please do
speak up here! ;-)
Ralph
Dr. Stephen Henson
> Charles B Cranston wrote:
>
> > > I'm trying to set up an Apache 2 based web server for multiple
> > > name based virtual hosts. As it is not possible with mod_ssl to
> > > have a seperate SSL certificate file for each virtual host...
> >
> > Actually, you can, but they have to have separate IP addresses.
> > (Requiring the server host to be multi-homed...)
>
> As I wrote, I was talking about multiple name based (!) virtual hosts,
> and the mod_ssl FAQ states that you can't have a seperate SSL cert file
> for each of them <http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47>. I
> know that multiple IP based virtual hosts are a different matter, but
> unfortunately I only have on IP address available for the host in
> question.
>
Well not at present you can't. With TLS extensions this will be possible but
currently OpenSSL doesn't support them and very few browsers do either.
> What I am trying to achieve is that this single host uses one cert which
> includes multiple CNs, so that given the following DNS entries
>
> www.domain1.org. IN A 123.234.123.234
> www.domain2.net. IN A 123.234.123.234
> www.domain3.com. IN A 123.234.123.234
>
> users can access the server via
>
> https://www.domain1.org/
> https://www.domain2.net/
> https://www.domain3.com/
>
> without a warning about the URL host name not matching the certificate
> common name. I know that with mod_ssl all three URLs will result in the
> same web page to be displayed, but that is acceptable in this special
> case where a couple of domains are to mapped to one single web site.
>
> Stephen Henson's suggestion allowed me to create and sign a certificate
> including multiple CNs. Using the Internet Explorer, any of the above
> URLs are accepted without a warning. With Mozilla and Mozilla Firefox,
> however, only the first available CN in the certificate is matched
> against the URL host name. If there is a way to alter this behaviour,
> I'd be glad to hear how, but as I wrote before, there are other mailing
> lists probably better suited for this matter. Of course, if you know how
> to persuade Mozilla/Firefox to not display their warnings, please do
> speak up here! ;-)
>
With the disclaimer that I haven't tried this...
Try adding multiple subjectAltName extensions with the option "DNS". This is
the official way to indicate a hostname putting it in CN is just for
compatibility with legacy applications.
Please post the results.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
Ralph Seichter
> Try adding multiple subjectAltName extensions with the option "DNS".
> This is the official way to indicate a hostname putting it in CN is
> just for compatibility with legacy applications.
I added the following options to /etc/ssl/openssl.cnf:
commonName_default = www.domain1.org
subjectAltName = DNS:www.domain2.net,
DNS:www.domain3.com
and I am getting an interesting error message by Mozilla Firefox.
When I try to connect to https://www.domain1.org/, Firefox tells me
that it expects a certificate for "www.domain1.org" and receives a
cert for "www.domain1.org". The host names in the error message are
identical, but Firefox is complaining anyway. :-)
When I change openssl.cnf settings to look like this
commonName_default = foo.domain1.org
subjectAltName = DNS:www.domain1.org,
DNS:www.domain2.net,
DNS:www.domain3.com
the URLs
can be accessed using Firefox without any error messages. One could
guess that Firefox matches against CN if no DNS is available, and
against DNS without looking at CN if DNS is available. Should this
be considered being the correct behaviour?
--
Mit freundlichen Grüßen / Yours sincerely
Dipl. Inform. Ralph Seichter
Dr. Stephen Henson
Other than the incorrect error message that's how it should behave. This is
described in RFC2818.
Steve.
--
Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage
OpenSSL project core developer and freelance consultant.
Funding needed! Details on homepage.
Homepage: http://www.drh-consultancy.demon.co.uk
Charles Cranston
here, and we used to use the term "multi-homed" to describe
deviation from the old "one machine, one IP address" paradigm.
But I guess I don't really know which of the following four
situations "multi-homed" really refers to:
1. Having multiple IP addresses (the sense in which I used it)
without reference to the actual hardware situation
2. Having multiple logical interfaces, all going through one
physical interface (might be identical to 1?)
2. Having multiple physical interfaces all of which are
connected to the same physical net (perhaps for reliability
or load balancing?)
3. Having multiple interfaces which are connected to different
networks (in this case and only this case routing is a
non-trivial concern).
Yes, I did miss the "name-based" in the original posting.
Mea culpa.
Ng Pheng Siong wrote:
> On Fri, Aug 27, 2004 at 07:36:30PM -0400, Charles B Cranston wrote:
>> Actually, you can, but they have to have separate IP addresses.
>> (Requiring the server host to be multi-homed...)
> Nit: You can configure multiple IP addresses on a single interface.
--
Charles B. (Ben) Cranston
mailto:zb...@umd.edu
http://www.wam.umd.edu/~zben
Ralph Seichter
> You may notice that this is not really a desired configuration. What
> you actually are trying to do is to cheat the user:
Well, "cheating" is a tad harsh. ;-) All three URLs lead to the same
page, which shows several links to allow the user to pick his final
target.
I agreee, however, that this configuration is far from optimal. I'd
rather avoid it alltogether, but I'm trying to find ways to satisfy
different customers using one single server (with one IP address) as
an entry point for their domains. :-/
--
Mit freundlichen Grüßen / Yours sincerely
Dipl. Inform. Ralph Seichter
______________________________________________________________________