* Brian Mearns <mearns.b@xxxxxxxxx> [2009-11-21 18:02]: > Only the latest Apache (2.2.14) and OpenSSL built with the > tlsextensions options support this. It's case SNI (Server Name > Identification), where the client can send the fully qualified domain > name as part of the handshake process. Without this, the server has no > way knowing which vhost the client is looking for until the > certificate has already been presented (because the Host: HTTP request > header is part of the encrypted payload, which can't be sent until the > client has the cert), so it can't choose SSL options (including the > cert file) based on host name. Or put all vhosts in the certificate (as X.509v3 SubjectAltName extensions) and serve up the same cert on every vhost. How you put these in the CSR is not part of this list and depends on your CA (some require to put all hostnames in the CN, i.e. multi-valued CNs, others require to stick these in the v3 extension.) -peter --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx