On Thu, May 5, 2016 at 3:12 PM, Yick Xie <yick.xie at gmail.com> wrote: > Hello Nikos, > > A little confused about it. Since even I self-signed the another CNAME > domain, I still cannot get rid of the risk of domain resolution, > right? Can ocserv tell apart via CN(common name) and deliver the cert > according to IP-visit or domain-visit? ocserv can distinguish certificates to send based on SNI. If you setup ocserv with two certificates, one for xxx.com and the other for yyy.com, the clients which advertise one of the two DNS names should be served the corresponding certificates. For example for your self signed certificate you could issue it for the: self-signed.mydomain.com while the CA issued one as ca-issued.mydomain.com You should set these as the dns_name field. Then users connecting to self-signed.mydomain.com will be served the self signed one, while the other domain will be served the ca issued one. regards, Nikos
