堆栈内存溢出
  简体   繁体   English

SSL通配符证书

[英]SSL Wildcard Certificate

 原文  2014-09-19 07:57:19       ssl/ certificate/ ssl-certificate/ wildcard-subdomain

问题描述

I'm looking for a wildcard certificate for a company *.domain.com. 我正在寻找公司* .domain.com的通配符证书。 I don't need extended validation. 我不需要扩展验证。 Entry level questions: 入门级问题:

  • Should I buy level 2 or level 3 certificate? 我应该购买2级还是3级证书? What's the main difference? 主要区别是什么?

  • Can I install (use) the same certificate/key pair in different machines (different IPs)? 我可以在不同的机器(不同的IP)上安装(使用)相同的证书/密钥对吗? Some CAs ask for dedicated IP as a requirement, but I'd like to use SNI for multiple virtual hosts. 一些CA要求使用专用IP,但我想对多个虚拟主机使用SNI。

  • In general, is it a good idea to rely on SNI support? 总的来说,依靠SNI支持是一个好主意吗?

1 个解决方案

解决方案1
 0 已采纳  2014-09-19 08:40:10

Should I buy level 2 or level 3 certificate? 我应该购买2级还是3级证书? What's the main difference? 主要区别是什么?

The difference is the number of intermediate CAs, which should not matter. 区别在于中间CA的数量,这无关紧要。 Different CAs might have additional differences between the certificates, like life-time etc but this depends on the CA. 不同的CA在证书之间可能会有其他差异,例如生存期等,但这取决于CA。

Can I install (use) the same certificate/key pair in different machines (different IPs)? 我可以在不同的机器(不同的IP)上安装(使用)相同的证书/密钥对吗? Some CAs ask for dedicated IP as a requirement, but I'd like to use SNI for multiple virtual hosts 一些CA要求使用专用IP,但我想对多个虚拟主机使用SNI

There is no restriction using the same certificate for different IP, different ports, multiple machines etc as long as the host name in all cases matches the certificate. 只要在所有情况下主机名都与证书匹配,就可以对不同的IP,不同的端口,多台计算机等使用相同的证书没有任何限制。 Of course each of the machines needs access to the private key, so you increase your attack surface with more machines. 当然,每台机器都需要访问私钥,因此您可以通过增加更多机器来增加攻击面。

In general, is it a good idea to rely on SNI support? 总的来说,依靠SNI支持是一个好主意吗?

It depends what kind of systems you need to support. 这取决于您需要支持哪种系统。 If you expect only newer browsers as clients SNI is ok. 如果您希望只有较新的浏览器作为客户端,则SNI是可以的。 But, SNI is not supported by IE8 (Windows XP), some Android applications (because of an old version of Apache HTTP library), older versions of Java and older versions of script languages like Python, Perl etc which often gets used to automate tasks. 但是,IE8(Windows XP),某些Android应用程序(由于Apache HTTP库的旧版本),Java的较早版本以及脚本语言(如Python,Perl等)的较旧版本不支持SNI,这些语言通常会用于自动执行任务。

If you want to use the certificates not only for web but also for mail the situation might be even worse. 如果您不仅想将证书用于Web,还想用于邮件,则情况可能更糟。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 SSL证书是SAN还是通配符? - SSL Certificate SAN or Wildcard? tomcat 上的 SSL 带通配符证书 - SSL on tomcat with wildcard certificate SSL通配符证书进入Tomcat - SSL Wildcard Certificate into Tomcat IIS 7和SSL通配符证书 - IIS 7 and SSL wildcard certificate SSL-带通配符的自签名证书 - SSL - self signed certificate with wildcard SSL 通用名称带通配符的证书 - SSL Certificate with wildcard in common name Comodo通配符ssl证书和Haproxy - Comodo wildcard ssl certificate and Haproxy 多台服务器上的通配ssl证书 - wildcard ssl certificate on multiple servers 双语域通配符SSL证书? - Bilingual domain wildcard SSL certificate? Plesk中的通配符子域上的通配符SSL证书-向浏览器提供了错误的证书 - Wildcard SSL Certificate on Wildcard Subdomain in Plesk - wrong certificate served to browser
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM