[TriLUG] Tricky routing issue

Jeremy Portzer jeremyp at pobox.com
Mon Oct 29 22:48:31 EDT 2007


Chris Bullock wrote:
> I agree with Robert, your certs are based on browser URL and the cert.  IP
> address has nothing to do with your cert.  You can also get wildcard certs
> where your cert is issued to *.yourdomain.com and it will cover all your
> server in your domain.

While this doesn't exactly address the original poster's issue (which 
can be solved simply by adjusting the router to send different 
protocols/ports to different internal hosts), it is also possible to use 
something called a "Subject Alternative Name" (SAN) instead of a 
wildcard certificate.   The SAN allows you to use multiple URIs on the 
same certificate; e.g. "jabber.yourdomain.ocm" and "www.yourdomain.ocm" 
could be both listed.  These could resolve to the same IP address, and 
then use the router again to send the requests to different internal hosts.

Subject Alternative Names are fully supported by all modern browsers and 
certificate systems, and seem to be under-appreciated by many web site 
and network administrators in my opinion.

Someone else asked about "embedded" browsers - does this refer to cell 
phones?  - but this is a standard that's been around a while so there's 
no particular reason they shouldn't support either SANs or wildcard 
certificates.

--Jeremy Portzer



More information about the TriLUG mailing list