SSL certificates with unknown domain name

Question

Hey there,

We're having an issue with securing an intranet / internet website with SSL where we can't know the qualified domain name in advance.

Basically, I'm trying to make a program that will be installed on a webserver outside my direct control, to be accessable over intra- or internet. In either case I want it to be secure via SSL (https). To do this, I would like to include and install a SSL certificate on the target machine. My installer is fully prepackaged and should not require any particular during- or postinstall intervention from my end. Problem is, I can't know ahead of time the target machine's name or domain name, so as far as I can tell the SSL connection will be returning warnings (or worse?) when accessed, since the certificate I include will (must) have a different name on it.

I really want to avoid those warnings, but I still want to keep it secure. Is there any way to install a SSL connection without certificate warnings without the domain name known ahead of time?

Thanks for any help you folks can give.

Answer 1

Each of those sites should have their own SSL certificate. Why not prompt the user to provide the cert file during installation?

Answer 2

The best you can do is to buy a wildcard SSL certificate - but wait, it's not what you think. You still need to know the second-level domain (the TLD being ".com") ahead of time. You can effectively ask for a cert that covers *.foo.com - then any site, a.foo.com, b.foo.com will be covered. Of course, these certs are more expensive that FQDN certs because you are doing the buggers out of some extra coin.

-Oisin

Answer 3

In most (if not all) cases, the SSL certificate is associated with the webserver (apache, IIS, etc.) and is not part of your application. It's up to the admin of the web server to install the certificate and not you as the author of the program.

If your installation program does have the ability to modify the web server configuration, and you are willing to have it use a self-signed certificate, you can script the creation of the certificate to allow the domain name to be input. However, I sense this is not really available to you. Also, a self-signed certificate will generally cause certificate warnings.

Answer 4

What you want to do is not possible. Here's why.

A certificate will include a set of names (Common Name, possibly along with Subject Alternative Names, possibly including wildcard names).

The client's web browser will do the following:

1. The user wanted to visit "https://myapp.mydomain.com/blog/posts/1".
2. The request is via SSL and the domain name in the request is "myapp.mydomain.com".
3. Get the certificate from the Web server.
4. Ensure that at least one of the names in the certificate is exactly equal to, or wildcard-matches, the domain name in the request.
5. Display the page.

Therefore, you need a certificate with the exact domain name (or a wildcard matching the exact domain name) by which the application will be used. And the certificate needs to be available at the same time as, or later than, the time when the exact domain name of the website becomes known, and cannot be made available any earlier.

You seem to be under the misapprehension that somehow a certificate can "create" or "install" an SSL connection. That is false. The Web server - Apache, IIS, Nginx, LigHTTPD, or whichever one you happen to use - is the program that knows how to every aspect of SSL connectivity. The certificate is just a file that the Web server sends to the client, without even opening or using in any way.

Additionally, the author of a webapp to be distributed is not responsible for creating or distributing certificates, and should not be under the misapprehension that he is responsible. Only the website maintainer should be responsible for obtaining a certificate for his website. As another person remarked, in your installation process or perhaps in a post-installation process, you may ask the person installing the webapp for a certificate. But that is the best you can do.

Answer 5

If I understand you correctly there might be a solution to your problem now. This solution won't help you, however, if you have no control over specifying what SSL certificates are served from the web server where your program is installed (as mentioned by someone else). If your program itself contains a web server you won't have this issue.

If you start with a trusted https website, you can make cross-domain TLS (SSL) XmlHttpRequests to the web servers that are running your application. This is made possible using the opensource Forge project. The project uses a TLS implementation written in JavaScript and a small Flash swf to handle the cross-domain requests. Your program will need to serve an XML Flash policy file that grants the trusted website access to the web server running the application.

Your program will also need to generate a self-signed SSL certificate and upload it to the trusted website. From there, each program's certificate can be included as trusted via the JavaScript TLS implementation. Alternatively, you can have your program upload its certificate to be signed by a CA you create, using a common or subject alternative name that is appropriate for your use (it doesn't have to be the domain name). Then you can use JavaScript to trust the CA certificate and look for the correct name on each certificate.

For more details check out the Forge project at github:

http://github.com/digitalbazaar/forge/blob/master/README

The links to the blog posts at the end provide more in-depth information about how it works.