A customer of ours is trying to use one of these "new" "UCC" certs
that along with the primary name allow you to have multiple
Alternate names embedded in thm so you can have something like:
www.domain.com
www.domain.net
www.domain.org
all protected with the same certificate on the same IP address/port.
These types of certs are interesting in that they can be overall
cheaper in terms of money and complexity with IPs.
I got this type of certificate installed and tested.
I’ve tested GoDaddy’s version of this certificate that gives you a 5
name cert for $60/year on plain jane Apache under 10.4 client and it
works without issue. I have two different vhosts with different
ServerName directives and the SSL config under both simply use the
same SSL
Example. Assume I have a cert that I have based on mydomain.com as
the primary name and has the following names embedded in as Subject
Alternate Name extensions:
Also assume that I have two different facets of my web application.
The public facing side that is served by the .com and the admin/
extranet that is served under the .net variation. My Apache config
would look like so:
<VirtualHost *:443>
ServerName www.mydomain.net
ServerAdmin email@hidden
DocumentRoot “/www/mydomain-net/”
<IfModule mod_ssl.c>
SSLEngine On
SSLCertificateFile “/etc/httpd/ssl/mydomain-com.crt”
SSLCertificateKeyFile “/etc/httpd/ssl/mydomain-com.key”
SSLCertificateChainFile “/etc/httpd/ssl/gd_intermediate_bundle.crt”
</IfModule>
ServerAlias mydomain.net admin.mydomain.net
</VirtualHost>
notice the certificate files are the same for both vhosts and there
is no distinguishing between IP addresses on the VirtualHost
directive. Nice, clean, simple and it Just Works.
I’ve tested the certificate in the following browsers and none of
them complain at all:
IE 6, FF2, Camino 1.5, Safari 2/3, Opera 8.5
X.509 v3 has been around at least since 2002 so it should be well
supported.
Now, OS X Server should work exactly the same way as the underlying
Apache system pieces are the same. The only issue comes into play
with the way that ServerMgr handles storing certificates, their keys
and passphrases and how Apache integrates all of these items.
Using the Server Admin app, you will not be able to use one of these
certificates to secure two different Hosts that you enter as the host
name in Apache is used by the “getsslpassphrase” binary to locate the
certificate, private key, and password for the host in question to
start SSL.
Since the primary name of the certificate is NOT the name of this
secondary vhost, the loading process will fail. Any usage of this
type of certificate will require you to manually create whatever non-
primary VirtualHosts that would be setup to take advantage of these
additional names secure by the “UCC” cert.
In order to get these certificates to load you will need to remove
the passphrase from the key file so that Apache doesn't call the
getpassphrase and then fail.
the basic command for doing this is:
openssl rsa -in mydomain.key -out mydomain.key.open
For those who are use to working with OS X Server and doing something
a bit out of the ordinary, this should not be surprising.
