SSL Certificates and SNI question

Posted on 2012-09-13
Last Modified: 2012-09-18
I have a webserver i would like to deploy with multiple SSL certificates installed for a number of different domains.

Currently I have it working with a distinct certificate for each domain needing to be secured (currently 2). My problem is when connections are made from Internet Explorer clients running windows xp. Since these OS/browser combinations do not support SNI the browser rightfully throws a certificate mismatch error because it serves up the root certificate for the webserver which was just a self signed test certificate.

Would using a SAN certificate issued to both domains (as well as others for future use) installed on the root domain for the webserver solve these problems? Could I then not have to renew the current single site certificates, and strictly use the SAN moving forward installed at the root and for any other of the domains listed in the SAN

Any insight would be appreciated.
Question by:onejames
    LVL 51

    Expert Comment

    as you're looking for an intermediate solution, I'd use an certificate with subjetc for and a subject's alternate name with your.other.tld
    then make the primary host which answers requests made without SNI
    LVL 33

    Accepted Solution

    @ahoffmann: the standard is ambigious as to if the subject CN is ignored on certs with a SAN or not - so it is best practice to duplicate the CN into the SAN just in case.

    If you have a SAN, then SNI is redundant and can be deconfigured for efficiency :)
    LVL 51

    Expert Comment

    @DaveHowe: thanks for clarification (missed to add the CN to SAN)

    Author Comment

    So what I gather from your responses is that the SAN will work in my scenario? I guess I could always just buy it and try it and use the 30 day refund guarantee if things don't work out as planned.

    Please clarify.
    LVL 33

    Expert Comment

    by:Dave Howe
    @onejames: Yes, san certs were invented specifically for this scenario.

    Featured Post

    Highfive Gives IT Their Time Back

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    I recently found myself in a Corporate Situation where the client had requested blocking access to any and all websites except his own Domain? Easy? I am sure this would be your answer but their requirement was, this has to be done without using…
    Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
    This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
    How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    27 Experts available now in Live!

    Get 1:1 Help Now