• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1560
  • Last Modified:

SSL Certificates and SNI question

I have a webserver i would like to deploy with multiple SSL certificates installed for a number of different domains.

Currently I have it working with a distinct certificate for each domain needing to be secured (currently 2). My problem is when connections are made from Internet Explorer clients running windows xp. Since these OS/browser combinations do not support SNI the browser rightfully throws a certificate mismatch error because it serves up the root certificate for the webserver which was just a self signed test certificate.

Would using a SAN certificate issued to both domains (as well as others for future use) installed on the root domain for the webserver solve these problems? Could I then not have to renew the current single site certificates, and strictly use the SAN moving forward installed at the root and for any other of the domains listed in the SAN

Any insight would be appreciated.
0
onejames
Asked:
onejames
  • 2
  • 2
1 Solution
 
ahoffmannCommented:
as you're looking for an intermediate solution, I'd use an certificate with subjetc for your.one.tld and a subject's alternate name with your.other.tld
then make your.one.tld the primary host which answers requests made without SNI
0
 
Dave HoweCommented:
@ahoffmann: the standard is ambigious as to if the subject CN is ignored on certs with a SAN or not - so it is best practice to duplicate the CN into the SAN just in case.

If you have a SAN, then SNI is redundant and can be deconfigured for efficiency :)
0
 
ahoffmannCommented:
@DaveHowe: thanks for clarification (missed to add the CN to SAN)
0
 
onejamesAuthor Commented:
So what I gather from your responses is that the SAN will work in my scenario? I guess I could always just buy it and try it and use the 30 day refund guarantee if things don't work out as planned.

Please clarify.
0
 
Dave HoweCommented:
@onejames: Yes, san certs were invented specifically for this scenario.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now