5.3) I am distributing load on several different web servers and I don't want to have to have a different certificate for each. How can I do this?
Description
This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.
5.3) I am distributing load on several different web servers and I don't want to have to have a different certificate for each. How can I do this?
When establishing a secure connection in SSL, many SSL clients
applications, including Netscape's Navigator, check the common name
of the certificate against the name of the site in the URL. If it
doesn't match, the client application warns the user. Thus the
preferred format of a common name of an SSL server is a simple DNS
name like "www.consensus.com".
To support multiple servers you can use a round-robin DNS to send
each request for "www.consensus.com" to different IP addresses. As
Netscape Navigator does not check to see that the IP address matches
the original domain name (reverse-IP), this will work for each
round-robin server.
Netscape's Navigator will also allow for some simple pattern
matching. Netscape has documented a number of different possibilities
in their SSL 2.0 Certificate Format web pages at:
<http://home.netscape.com/newsref/std/ssl_2.0_certificate.html>
Note, however, none of these regular expression/pattern matching
choices are accepted by VeriSign. In the past they have accepted
server certificate common names with regular expressions, but these
are no longer allowed.
Other CAs may have different policies regarding use of regular
expressions in common names.
Continue to:
My Books
