This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.
When establishing a secure connection in SSL, many SSL clients
applications, including Netscape's Navigator, check the common name
of the certificate against the name of the site in the URL. If it
doesn't match, the client application warns the user. Thus the
preferred format of a common name of an SSL server is a simple DNS
name like "www.consensus.com".
To support multiple servers you can use a round-robin DNS to send
each request for "www.consensus.com" to different IP addresses. As
Netscape Navigator does not check to see that the IP address matches
the original domain name (reverse-IP), this will work for each
Netscape's Navigator will also allow for some simple pattern
matching. Netscape has documented a number of different possibilities
in their SSL 2.0 Certificate Format web pages at:
Note, however, none of these regular expression/pattern matching
choices are accepted by VeriSign. In the past they have accepted
server certificate common names with regular expressions, but these
are no longer allowed.
Other CAs may have different policies regarding use of regular
expressions in common names.