> "Matt Crawford" <[EMAIL PROTECTED]> writes: > >... Netscrape ind Internet Exploder each have a hack for > >honoring the same cert for multiple server names. Opera seems to honor at > >least one of the two hacks, and a cert can incorporate both at once. > > > > /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services > > /CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov > > /CN=bravo.fnal.gov/CN=charlie.fnal.gov > > Just to clarify this, so you need a multivalued CN, with one containing the > expression "(a|b|c)" and the remaining containing each of "a", "b", and "c"? > Is it multiple AVAs in an RDN, or multiple RDNs? (Either of these could be > hard to generate with a lot of software, which can't handle multiple AVAs in > an RDN or multiple same-type RDNs). Which hack is for MSIE and which is for > Netscape?
Each CN is in a single-element RDN as usual. Netscape honors only the first CN in the SubjectDN, but will treat it as a restricted regex (shell-like * wildcard, alternation and grouping). IE checks the server name against each CN's individually. This was mainly determined by experimentation. I think we did find a limit on how long that first regex could be, but I don't remember what it was. Longer than my example, but short enough that some of our bigger virtual-hosting servers were inconvenienced by it. Openssl has no qualms about multiple same-type components. You just have to use the somewhat documented 0.commonName = ... 1.commonName = ... 2.commonName = ... in the configuration file.