CAcert

From Aktivix
Jump to: navigation, search

This site uses a cert from CAcert for https and the CSR for this was generated using the bash script at the end of the CAcert Vhosts page:

FQDN/CommonName (ie. www.example.com) : wiki.aktivix.org
Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish
SubjectAltName: DNS:wiki.aktivix.org
SubjectAltName: DNS:en.wiki.aktivix.org
SubjectAltName: DNS:pt.wiki.aktivix.org
SubjectAltName: DNS:www.wiki.aktivix.org
SubjectAltName: DNS:www.en.wiki.aktivix.org
SubjectAltName: DNS:www.pt.wiki.aktivix.org

This means that one can accesses this site from alternate addresses, eg:

And they both all the same IP address and if you have the CAcert root cert installed you will get no https warnings. 3 of these domains just do a redirect to en.wiki.aktivix.org but they still illustrate the point...

Domain Name Mismatch error

If you have UseCanonicalName Off and a VirtualHost with ServerAlias' or if you don't repeat the CommonName as a SubjectAltName then you get this error message in Mozilla / Firefox:

Aktivix-wiki-error-msg.png

And this error in IE:

Aktivix-ssl-ie-screenshot.png


Repeating the CommonName as a SubjectAltName

Note that the cert this site uses has wiki.aktivix.org as the CommonName and as a SubjectAltName because without it being repeated you get the error message above.

UseCanonicalName

Apache has UseCanonicalName On by default and when it is on you can use one VirtualHost with multiple ServerAlias' with all these ServerAlias' and the ServerName in the cert.

If however you have UseCanonicalName Off the you can't use any ServerAlias' and you have to have one VirtualHost per ServerName and then set all the VirtualHost's to use the same cert.

See the Apache docs for more info.