robert’s rant room

At Freitagsrunde, we are currently installing an ejabberd Jabber server, and came across the problem of using one SSL certificate for multiple host names. While the old anwer to this problem is using one IP address for each hostname, or wildcard certificates, one of us proposed a solution unknown to the others before: SSL certificates with more than one common name, aka Unified Communications Certificates.

# copy the system's openssl config

$ cp /etc/ssl/openssl.cnf .

# patch

$ cat<<EOF | patch

--- openssl.cnf.orig	2008-04-10 18:01:37.000000000 +0200
+++ openssl.cnf	2008-04-10 18:02:18.000000000 +0200
@@ -141,8 +141,14 @@
organizationalUnitName		= Organizational Unit Name (eg, section)
#organizationalUnitName_default	=

-commonName			= Common Name (eg, YOUR name)
-commonName_max			= 64
+0.commonName			= Common Name 1
+0.commonName_max			= 64
+
+1.commonName			= Common Name 2
+1.commonName_max			= 64
+
+2.commonName			= Common Name 3
+2.commonName_max			= 64

emailAddress			= Email Address
emailAddress_max		= 64
EOF

# now create a certificate with this config

$ openssl req -newkey rsa:4096 -nodes -keyout ssl.key -out ssl.pem -config openssl.cnf
...Organizational Unit Name (eg, section) []:
Common Name 1 []:goodpoint.de
Common Name 2 []:*.goodpoint.de
Common Name 3 []:*.*.goodpoint.de
Email Address []:...

And for all remaining sceptics, these certificates will even be signed by CaCert.org: