Re: Multiple Certificates, 1 Web Server

Mon, 13 Mar 2006 06:49:08 -0800 

[EMAIL PROTECTED] wrote:

On 3/13/06 8:43 AM, [email protected] wrote to All:


On Mon, 2006-03-13 at 08:35 -0500, [EMAIL PROTECTED] wrote:

So for one group, they will give them a HTTPS URL for domainX, and for
another group, they will give them another HTTP URL for DomainY,  but
they will be hitting the same IP server.

sounds like a virtual domain.  If you have 2 domains hitting the same
web server is that not virtual hosting?


I would think so. But they are using the same IP address.

Our web server, per IP,  is only reading 1 CRT and 1 KEY file that was
created for the single common name; domain used by the customer when he got
the certificate.
They have 1 web server setup. According to them, they had multiple domains 
going to the same IP NON-SSL web side.   This is purely based on having
multiple A records to the same IP address.   But now when they turned on
SSL, with one certificate, they are running into browser "domain mismatch"
conflicts. So I was asked how to resolve this. 
If they get multiple certificates, one per common name, but each going to
the same IP,  my web server is not seeing the difference.

I think the issue is me not having the technique for preparing OPENSSL to
handle it.

Can you put multiple certificates and keys into one single CRT?

I tried this, and my two test domains going to the same IP used the first
certificate/key pair in the file.

Does this make sense?  Beating a dead horse??  Customer must switch to
using virtual domains with multiple IPs?
I don't think you can use SSL make multiple (virtual) servers work on one IP-Address and Port. Virtual Servers work with a HTTP 1.1 Header fierld (the "Host:"-Header) whereas SSL Handshake takes place before any HTTP headers are exchanged. So the server has no way to decide which certificate to present during SSL handshake and the browser will complain (and typically won't even start to send the HTTP headers) if the server sends the wrong one.
I think it should work if you can bind the virtual servers to different ports, though I have not tried this myself. Using different IP-Addresses for the virtual servers should be no problem, I have done this multiple times using IIS. 
Thanks

---
hector

Hope it helps.
Ted
;)

--
PGP Public Key Information
Download complete Key from http://www.convey.de/ted/tedkey_convey.asc
Key fingerprint = 31B0 E029 BCF9 6605 DAC1  B2E1 0CC8 70F4 7AFB 8D26

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to