On 2013-09-16 13:36, Reindl Harald wrote:
Am 16.09.2013 13:33, schrieb Shadi Habbal:
After some digging, Subject Alternative Names (SANs) is the way to have one certificate which holds many domain names in the SubjectAltNames field Here is a script to generate a CSR that holds different SANs: http://svn.cacert.org/CAcert/Software/CSRGenerator/csr
that's nice but not practically useable you hardly can add a SAN everytime you get a new domain
It works perfectly for small time setups. Indeed, not scalable after a few hundreds domains, but for private/small setups it works quite fine.
the main question remains:
- why is anybody doing this?
Because IPv4 addresses are running out (or harder/pricy to get) and not all clients on IPv4 yet and thus you will have to have multiple certs on a single IP instead of an IP each per cert.
Yep, with IPv6 you can easily go back to the old model... but unless one does per-IP acl/ratelimits/filtering/etc why bother?
- "the user wants "mail.hisdomain.tld" is *not* a valid reason and should lead to explain the user the stupidity of doing so for no benefit
I don't see anything "stupid" about this. It is so much easier to explain to a user "your email is xxx@example.com, your mail client does the rest" than "oh, you need to use this mail server and that here and that there".
Thunderbird (and likely other clients) autoconfigure by guessing {mail|smtp|imap}.<domain> and thus a proper cert is nice to have there instead of "warning untrusted mail.example.net!" everytime.
Thus it might not be suited for your use, it is definitely very useful for other people.
Greets, Jeroen