Re: SSL certificate (was Re: accounts gnome org is now using Request Tracker)

[Owen Taylor <otaylor redhat com>]

On Sun, 2006-03-05 at 12:05 +0100, Christian Rose wrote:
> On 10/28/05, James Henstridge <james jamesh id au> wrote:
> > On 27/10/05 16:51, Ross Golder wrote:
> > >Would it? Doesn't each Apache secure vhost require a different IP
> > >address to bind to?
> > >
> > >
> > You can vhost SSL sites pretty easily.  If you don't care about the
> > "name doesn't match certificate" warnings the first time you go to the
> > site, set up is exactly the same.
> >
> > Alternatively, you can use the "subject alt name" extension in the
> > certificate, which will get rid of the warning for those names.  I don't
> > recall how to do this with the openssl tools though.
> >
> > James.
> 
> Alternatively, you can use a wildcard SSL certificate that will be
> valid for all websites *.gnome.org. The only restriction is that all
> web sites will need to be served as virtual hosts from the same
> machine (window?), where the certificate is then placed.
> 
> Has anyone looked into this? A wilcard certificate need not be
> extremely expensive, for example http://www.rapidssl.com/ offers
> wildcard certificates for about $200.

One caveat about this is that if we did put a wildcard certificate
on window, then it wouldn't make sense to, say, have a separate more
closely guarded certificate for, say, 'store.gnome.org', since someone
obtaining the wildcard certificate could impersonate store.gnome.org.

Not really a killer objection ... after all, users are probably about
as likely to give their credit cards to an impersonated
https://www.gnome.org as to an impersonated https://store.gnome.org,
but worth at least keeping in mind.

Regards,
					Owen