, Johann Schmitz

For a long time I used a wildcard certificate signed by CACert to provide SSL support for the websites and Mail/IMAP accounts hosted on my server. This wasn't the best solution because the Certificate Authority of CACert isn't installed by default in current browsers, but it is the only CA which provides wildcard certificates with multiple SAN's. As long as you have the CA installed in your browser you can easily visited any site signed by this certificate authority without a certificate warning. From a usability point of view this is much better than a self-signed certificate.

A few days ago, Diego's SSL certificate expired while he was away and this pointed my again to StartSSL which also provide SSL certificates for free. StartSSL's certificate authority is installed in all browser which means you never get an certificate warning or have to install the CA manually. Diego switched to multiple certificates and uses SNI (Server Name Indication) to deliver the correct certificate to the client. With SNI you can have multiple certificate on one IP address and still provide different certificates for different domains because the hostname is send in the TLS negotiation process (without, the Webserver needs to wait for the HTTP Host header which is send after the secure connections has been established).

Unfortunately, the StartSSL's free Class 1 certificates can only contain a single domain name plus one SAN entry per certificate. To avoid juggling with many Class 1 certificates for multiple domains and services, i really thought about buying a Class 2 certificate (with wildcard support) for my domains with 2 years validity for $59. Too bad that StartSSL charge you another $59 fee for the identity validation, which is above what i'm willing to pay for a server hosted as a hobby and just because i can. For now i'm running a mixture of a wildcard-catch-all certificate signed by CACert for not so important sites and a few StartSSL Class 1 certificates for public-facing sites (this one and j-schmitz.net).

And this is how your test result in the SSLLabs Test should look like:

SSL test result for ercpe.de

SNI will kick off older clients (IE on Windows XP, JDK < 1.7 and the Android 2.x default browser) and some bots but that's OK for me.

Using SNI with Apache

Using SNI in Apache is actually pretty easy: Just point the SSLCertificateFile and SSLCertificateKeyFile to the different certificates/key files and you're done. Make sure you deliver the StartSSL Class 1 Intermediate Authority with the SSLCertificateChainFile to pass the SSLLabs Test if you use certificates from StartSSL.

Using SNI with Courier Imap

Courier Imap has good support for virtual hosting: Set the TLS_CERTFILE variable to the path to your certificates and it will automatically try $TLS_CERTFILE.domainname to provide the correct certificate.