Some Relevant History of https AltNames

• CertMaintenanceCollapsed
• CertificateUpdates

Some Relevant History of https AltNames

This section needs more authorative references. And currently makes a few dubious statements.

Perhaps this section is mostly apologetics(sic) for having developed the practice of maintaining many Subject Alternative Names on single https certificates.

The https protocol was changed a few years back so that a single IP address could properly support multiple encryption certificates.

Prior to that, a single IP address would necessarily need to use one particular certificate (public key with additional information) as the basis of the encryption.

To avoid needing a separate IP address for each desired named server, the practice of using more than one (often many) Subject Alternative Names was developed.

This is arguably becoming deprecated, at least for https. (But note that also definitely deprecated is the past practice of using the common name in the certicate as something relevant to the connection; in general now, you want to aim for a certificate with only a single Alternative Name, or perhaps merely a few convenience aliases such as www.domain). The work of determining which certificate to use should be done in the browser virtual host set up. This will simplify certificate maintenance (assuming certbot can be used), and should also make the virtual hosts more independently transportable to different physical servers.

-- AdrianPepper - 20 Oct 2021

Referers

• CertMaintenanceCollapsed
• CertificateUpdates