#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Posts
    18
    Rep Power
    0

    Multiple SSL certificates on one apache server


    Hi, I've created a self signed ssl certificate for www.mups.co.uk which when you go to https://www.mups.co.uk validates ok, (aside from not been trusted since its self signed) However if you go to https://mups.co.uk which is the exact same server the certifcate warns that it is not for the name of the server. Likewise wireless-083..... also refers to the exact same ip of my server and fails due to the certificate name been different to the name used to get there.

    See what I mean?

    Is there any way to have multiple certificates so that anyone who uses the www.mups.co.uk domain will use the wmups.crt and any that use mups.co.uk will validate against the mups.crt and any that use wireless..... will validate against wireless.crt

    All on the same apache server?
    Or is there a way to make the certificate valid for any of those 3 names.

    Is this really an apache issue or more of an ssl issue? Can I use virtualHost to
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    Your server may contain as many certs as you want given you have more than one static IP and IP-based vhosts is configured. Keep in mind that the cn (common name) of www.mups.co.uk and mups.co.uk don't match, not to mention a completely different domain - wireless-083.

    >> Is this really an apache issue or more of an ssl issue?

    SSL issue and its limitation or say its feature.
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Posts
    18
    Rep Power
    0
    so if mups.co.uk and www.mups.co.uk both point to the same static IP and I have created SSL certs for each of these with the appropriate common name how do I stop apache using the www.mups.co.uk certificate when I use the url mups.co.uk?

    Is this because of the <VirtualHost _default_ *> section that tells it to uses the www.mups.co.uk cert?? I tried adding another VirtualHost above this one called <VirtualHost mups.co.uk:443> which pathed to the mups.co.uk.crt and key, but it still tried to use the www cert.

    Any ideas what I'm doing wrong?
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> how do I stop apache using the www.mups.co.uk certificate when I use the url mups.co.uk?

    You can't. You MUST use IP-based vhost.

    >> Is this because of the <VirtualHost _default_ *> section

    No. It's Name-based vhost that wouldn't work with SSL.

    >> but it still tried to use the www cert

    Because that's what SSL is. Again, you MUST use IP-based vhost.

    You may configure Apache with SSL using Name-based vhost, but only ONE would work. To put it simple, for all the hostnames that you wanted to allow SSL connection, you MUST, it's a MUST, use IP-based vhost.
  8. #5
  9. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Mar 2001
    Posts
    18
    Rep Power
    0
    Ah I assumed IP vitual hosts and name based were the same thing. Thanks for your help, I'll go read up on them

    bb
  10. #6
  11. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2000
    Location
    Sharon, Connecticut, USA
    Posts
    6
    Rep Power
    0

    Lightbulb SSL Wildcard Cert


    "mups.co.uk" and "www.mups.co.uk" cannot share a certificate, no matter what you do. You have to choose one to be the way the site will be addressed. Technically, www.mups.co.uk is a subdomain of mups.co.uk.

    However, multiple subdomains can share a "wildcard" certificate. For example, "www.mups.co.uk" and "muds.mups.co.uk" *could* use the same certificate - without browser warnings - as long as the CN (common name) in the cert is "*.mups.co.uk" (star-dot-mups-co-uk).

    If the subdomains are on the same IP address, then the sites would be the same site, whereas if each has its own IP address, then the sites would be separate and distinct. Each distinct SSL site must have its own IP address.

    Wildcart certs can be signed by VeriSign or Thawte, but for a higher fee than for a non-wildcard (ordinary) cert.

    --=o=--
  12. #7
  13. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Oct 2000
    Posts
    15
    Rep Power
    0
    Now, suppose I have to use Name based virtual host, can I put the secure server on a different port?

    Would that solve the problem?

    Helicon
  14. #8
  15. No Profile Picture
    Junior Member
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2000
    Location
    Sharon, Connecticut, USA
    Posts
    6
    Rep Power
    0

    secure server port


    The secure server is already running on another port. The http protocol defaults to port 80 and https (ssl) to port 443. You can run one ssl vhost on port 443 for each ip address you have.

    You *can* connect to other ports if you like by running a daemon that listens on that port, but you can run only one ssl host per ip address per port.

    For non-standard ports, the port must be entered explixitly in the url, e.g.,

    https://sslhost.exampledomain.com:88.../somefile.html
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jan 2001
    Posts
    4
    Rep Power
    0
    >> Would that solve the problem?

    Read this entire thread again, I thought I statement was very clear: Because that's what SSL is. Again, you MUST use IP-based vhost.

    The wildcard cert wolph mentioned was never meant to be a workaround. It's a way to lower the cost instead of getting multiple certs. In doing so, you don't need to configure configure different cert for each servername. You still need to use IP-based vhost configuration.

    Once again, if you need SSL support for 5 vhosts, you need 5 IPs. Name-based vhost configuration by all means is to configure ONE IP. That said, if you need SSL support for just your default server, you can use name-based vhost, but none of yur vhosts can implement SSL. To put it simple, ONE IP -> ONE SSL site.

    You might say, what if I don't care about any SSL error and force my vhosts to use a self-signed cert for each vhost in name-based vhost environment.

    You can do that, but that doesn't solve the ONE IP ONE SSL problem. In addition to the SSL error, all of your vhost sites would be the same site as your default SSL site. If you go to https://www.vhost.com, you will see the exact content of https://www.yourdomain.com, so there is no point to configure Apache in such way.
    Right, if www.vhost.com is a serveralias of www.yourdomain.com, then that would be what you want just because you want both sites to be the same.

    Using different port has nothing to do with SSL, but the port Apache listens to.
  18. #10
  19. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Nov 2012
    Posts
    8
    Rep Power
    0
    a willdcard ssl certificate will solve your problem. But also most new ssl certificates use the SAN to include www. as well so there is no need to buy 2 ssl certs anymore.
  20. #11
  21. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    24
    Rep Power
    0
    Originally Posted by jasonmoran
    a willdcard ssl certificate will solve your problem. But also most new ssl certificates use the SAN to include www. as well so there is no need to buy 2 ssl certs anymore.
    of course, SAN SSL Certificate secure multi domain so you don't need to buy other certificate. SAN SSL is also known as multi domain SSL
  22. #12
  23. Transforming Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    14,143
    Rep Power
    9398

IMN logo majestic logo threadwatch logo seochat tools logo