lotus

previous page: 5.2) What is the format of the SSL certificates used by Netscape Navigator?
  
page up: Secure Sockets Layer Discussion List FAQ
  
next page: 5.4) When comparing a URL against the common name of the certificate, why don't you do a reverse-DNS lookup?

5.3) I am distributing load on several different web servers and I don't want to have to have a different certificate for each. How can I do this?




Description

This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.

5.3) I am distributing load on several different web servers and I don't want to have to have a different certificate for each. How can I do this?

When establishing a secure connection in SSL, many SSL clients
applications, including Netscape's Navigator, check the common name
of the certificate against the name of the site in the URL. If it
doesn't match, the client application warns the user. Thus the
preferred format of a common name of an SSL server is a simple DNS
name like "www.consensus.com".

To support multiple servers you can use a round-robin DNS to send
each request for "www.consensus.com" to different IP addresses. As
Netscape Navigator does not check to see that the IP address matches
the original domain name (reverse-IP), this will work for each
round-robin server.

Netscape's Navigator will also allow for some simple pattern
matching. Netscape has documented a number of different possibilities
in their SSL 2.0 Certificate Format web pages at:
<http://home.netscape.com/newsref/std/ssl_2.0_certificate.html>

Note, however, none of these regular expression/pattern matching
choices are accepted by VeriSign. In the past they have accepted
server certificate common names with regular expressions, but these
are no longer allowed.

Other CAs may have different policies regarding use of regular
expressions in common names.

 

Continue to:













TOP
previous page: 5.2) What is the format of the SSL certificates used by Netscape Navigator?
  
page up: Secure Sockets Layer Discussion List FAQ
  
next page: 5.4) When comparing a URL against the common name of the certificate, why don't you do a reverse-DNS lookup?