Multiple SSL certificates on one apache server

Hi, I've created a self signed ssl certificate for www.mups.co.uk which when you go to https://www.mups.co.uk validates ok, (aside from not been trusted since its self signed) However if you go to https://mups.co.uk which is the exact same server the certifcate warns that it is not for the name of the server. Likewise wireless-083..... also refers to the exact same ip of my server and fails due to the certificate name been different to the name used to get there.

See what I mean?

Is there any way to have multiple certificates so that anyone who uses the www.mups.co.uk domain will use the wmups.crt and any that use mups.co.uk will validate against the mups.crt and any that use wireless..... will validate against wireless.crt

All on the same apache server?
Or is there a way to make the certificate valid for any of those 3 names.

Is this really an apache issue or more of an ssl issue? Can I use virtualHost to

Your server may contain as many certs as you want given you have more than one static IP and IP-based vhosts is configured. Keep in mind that the cn (common name) of www.mups.co.uk and mups.co.uk don't match, not to mention a completely different domain - wireless-083.

>> Is this really an apache issue or more of an ssl issue?

SSL issue and its limitation or say its feature.

so if mups.co.uk and www.mups.co.uk both point to the same static IP and I have created SSL certs for each of these with the appropriate common name how do I stop apache using the www.mups.co.uk certificate when I use the url mups.co.uk?

Is this because of the <VirtualHost _default_ *> section that tells it to uses the www.mups.co.uk cert?? I tried adding another VirtualHost above this one called <VirtualHost mups.co.uk:443> which pathed to the mups.co.uk.crt and key, but it still tried to use the www cert.

Any ideas what I'm doing wrong?

>> how do I stop apache using the www.mups.co.uk certificate when I use the url mups.co.uk?

You can't. You MUST use IP-based vhost.

>> Is this because of the <VirtualHost _default_ *> section

No. It's Name-based vhost that wouldn't work with SSL.

>> but it still tried to use the www cert

Because that's what SSL is. Again, you MUST use IP-based vhost.

You may configure Apache with SSL using Name-based vhost, but only ONE would work. To put it simple, for all the hostnames that you wanted to allow SSL connection, you MUST, it's a MUST, use IP-based vhost.

Ah I assumed IP vitual hosts and name based were the same thing. Thanks for your help, I'll go read up on them

bb

"mups.co.uk" and "www.mups.co.uk" cannot share a certificate, no matter what you do. You have to choose one to be the way the site will be addressed. Technically, www.mups.co.uk is a subdomain of mups.co.uk.

However, multiple subdomains can share a "wildcard" certificate. For example, "www.mups.co.uk" and "muds.mups.co.uk" *could* use the same certificate - without browser warnings - as long as the CN (common name) in the cert is "*.mups.co.uk" (star-dot-mups-co-uk).

If the subdomains are on the same IP address, then the sites would be the same site, whereas if each has its own IP address, then the sites would be separate and distinct. Each distinct SSL site must have its own IP address.

Wildcart certs can be signed by VeriSign or Thawte, but for a higher fee than for a non-wildcard (ordinary) cert.

--=o=--

Now, suppose I have to use Name based virtual host, can I put the secure server on a different port?

Would that solve the problem?

Helicon

The secure server is already running on another port. The http protocol defaults to port 80 and https (ssl) to port 443. You can run one ssl vhost on port 443 for each ip address you have.

You *can* connect to other ports if you like by running a daemon that listens on that port, but you can run only one ssl host per ip address per port.

For non-standard ports, the port must be entered explixitly in the url, e.g.,

https://sslhost.exampledomain.com:8...r/somefile.html

>> Would that solve the problem?

Read this entire thread again, I thought I statement was very clear: Because that's what SSL is. Again, you MUST use IP-based vhost.

The wildcard cert wolph mentioned was never meant to be a workaround. It's a way to lower the cost instead of getting multiple certs. In doing so, you don't need to configure configure different cert for each servername. You still need to use IP-based vhost configuration.

Once again, if you need SSL support for 5 vhosts, you need 5 IPs. Name-based vhost configuration by all means is to configure ONE IP. That said, if you need SSL support for just your default server, you can use name-based vhost, but none of yur vhosts can implement SSL. To put it simple, ONE IP -> ONE SSL site.

You might say, what if I don't care about any SSL error and force my vhosts to use a self-signed cert for each vhost in name-based vhost environment.

You can do that, but that doesn't solve the ONE IP ONE SSL problem. In addition to the SSL error, all of your vhost sites would be the same site as your default SSL site. If you go to https://www.vhost.com, you will see the exact content of https://www.yourdomain.com, so there is no point to configure Apache in such way.
Right, if www.vhost.com is a serveralias of www.yourdomain.com, then that would be what you want just because you want both sites to be the same.

Using different port has nothing to do with SSL, but the port Apache listens to.