Multiple Certs and Keys

Nikos Mavrogiannopoulos n.mavrogiannopoulos at gmail.com
Mon May 9 04:51:03 PDT 2016


On Thu, May 5, 2016 at 3:12 PM, Yick Xie <yick.xie at gmail.com> wrote:
> Hello Nikos,
>
> A little confused about it. Since even I self-signed the another CNAME
> domain, I still cannot get rid of the risk of domain resolution,
> right? Can ocserv tell apart via CN(common name) and deliver the cert
> according to IP-visit or domain-visit?

ocserv can distinguish certificates to send based on SNI. If you setup
ocserv with two certificates, one for xxx.com and the other for
yyy.com, the clients which advertise one of the two DNS names should
be served the corresponding certificates.

For example for your self signed certificate you could issue it for the:
self-signed.mydomain.com
while the CA issued one as
ca-issued.mydomain.com

You should set these as the dns_name field.

Then users connecting to self-signed.mydomain.com will be served the
self signed one, while the other domain will be served the ca issued
one.

regards,
Nikos



More information about the openconnect-devel mailing list