通配符 SAN 证书是否可行? [英] Is a Wildcard SAN certificate possible?

问题描述

是否可以通过使用通配符域和 SAN 的单个证书来保护多个域?

Is it possible to secure multiple domains with a single certificate using wildcard domains and a SAN?

例如，一个同时保护 *.domain1.com 和 *.domain2.com 的 SAN 证书?

For example, one SAN certificate that secures both *.domain1.com and *.domain2.com?

到目前为止，我所阅读的所有内容似乎都表明您可以拥有通配符证书 (*.domain1.com) 或 SAN 证书(host1.domain1.com、host2.domain2.com)，但不能组合使用.这是正确的吗?

Everything I have read so far seems to indicate that you can have either a wildcard certificate (*.domain1.com) OR a SAN certificate (host1.domain1.com, host2.domain2.com), but not a combination. Is this correct?

推荐答案

我假设你想使用 HTTP 证书.在这种情况下，您需要查看 RFC 2818.该 RFC 明确定义只有在未配置主题备用名称时才应使用公用名称，但它允许在 SAN 扩展中使用通配符证书.因此应该可以在证书的 SAN 部分中组合多个非通配符和通配符证书.

I assume you use want to use the certificate for HTTP. In this case you need to look at RFC 2818. This RFC clearly defines that common name should only be used if no subject alternative names are configured, but it allows wildcards certificates in the SAN extension. So it should be possible to combine several non-wildcard and wildcard certificates inside the SAN part of the certificate.

看起来不同的 CA 对创建混合通配符和非通配符的证书有不同的政策:虽然 Thawte 认为混合是不可能的(https://community.thawte.com/blog-posts/difference-between-wildcard-ssl-vs-san-certificate) DigiCert 将其宣传为两全其美 (http://www.digicert.com/ssl-support/wildcard-san-names.htm).因此，这似乎更多是 CA 的限制，而不是浏览器的限制，绝对不是标准的限制.

It looks like various CAs have different policies about creating certificates mixing wildcard and non-wildcard: While Thawte argues that mixing is not possible (https://community.thawte.com/blog-posts/difference-between-wildcard-ssl-vs-san-certificate) DigiCert propagates it as the best of both worlds (http://www.digicert.com/ssl-support/wildcard-san-names.htm). So it seems to be more a limitation of the CAs and not of the browsers and definitely not of the standard.

这篇关于通配符 SAN 证书是否可行?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！