CAcert
This site uses a cert from CAcert for https and the CSR for this was generated using the bash script at the end of the CAcert Vhosts page:
FQDN/CommonName (ie. www.example.com) : wiki.aktivix.org Type SubjectAltNames for the certificate, one per line. Enter a blank line to finish SubjectAltName: DNS:wiki.aktivix.org SubjectAltName: DNS:en.wiki.aktivix.org SubjectAltName: DNS:pt.wiki.aktivix.org SubjectAltName: DNS:www.wiki.aktivix.org SubjectAltName: DNS:www.en.wiki.aktivix.org SubjectAltName: DNS:www.pt.wiki.aktivix.org
This means that one can accesses this site from alternate addresses, eg:
- https://wiki.aktivix.org/CAcert
- https://www.wiki.aktivix.org/CAcert
- https://en.wiki.aktivix.org/CAcert
- https://www.en.wiki.aktivix.org/CAcert
And they both all the same IP address and if you have the CAcert root cert installed you will get no https warnings. 3 of these domains just do a redirect to en.wiki.aktivix.org but they still illustrate the point...
Domain Name Mismatch error
If you have UseCanonicalName Off and a VirtualHost with ServerAlias' or if you don't repeat the CommonName as a SubjectAltName then you get this error message in Mozilla / Firefox:
And this error in IE:
Repeating the CommonName as a SubjectAltName
Note that the cert this site uses has wiki.aktivix.org as the CommonName and as a SubjectAltName because without it being repeated you get the error message above.
UseCanonicalName
Apache has UseCanonicalName On by default and when it is on you can use one VirtualHost with multiple ServerAlias' with all these ServerAlias' and the ServerName in the cert.
If however you have UseCanonicalName Off the you can't use any ServerAlias' and you have to have one VirtualHost per ServerName and then set all the VirtualHost's to use the same cert.
See the Apache docs for more info.