You can configure a single apache instance, with many virtualhosts SSL
enabled on the same IP/Port, but every virtualhost must be under the
same domain.
This can be done using a "wildcard certificate" where you can use the
subjectalternativenames set to DNS:*.mydomain.com.
Then if your virtualhosts falls into a.mydomain.com, b.mydomain.com and
so on, you can use a single certificate.
Obviuosly this is not a choice if you are an ISP, but if you serve an
homogeneous set of services into a corporate (subdivided in division
i.e.) this is a good way to do that.
If you need more details, i can post some confs.
My experience was done on a CentOs 5.2 with Apache/2.2.9 (Unix)
mod_ssl/2.2.9 OpenSSL/0.9.8b DAV/2 PHP/5.2.6
Search on google with "wildcard certificate" and you'll get more
information specially on compatibility with the browsers.
Hope this helps.
Mark Lavi ha scritto:
"Kevin Murphy" <kevinpatrickmur...@gmail.com> writes:
...would like to get some clarification on the above points.
It would be terrific if I could use one certificate for multiple hosts.
Kevin:
That is the default behavior of Apache when you configure the SSL
enabled web server instance to respond on all IP addresses (with a wild
card) on the port: a single certificate responds to all requests on the
port. The only way to offer different certificates in Apache is to
create separate SSL instances responding on different IP addresses
and/or ports. Fortunately, it seems you're getting what you need!
I believe the article you referenced describes how to recompile Apache
with GnuTLS and patches to offer multiple certificates on the same IP
address and port, much like virtualhost can offer different docroots on
the same IP address and port.
>From my limited understanding, virtualhost certificates on the same IP
address and port, are still a work in progress with Apache server and
would require a RFC4633 compliant client.
Cheers,
..............................
Mark Lavi, Senior Web Producer, SGI
ml...@sgi.com || tel: 408.524.7347 || sgi.com <http://www.sgi.com/>
Innovation for Results
________________________________
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Kevin Murphy
Sent: Thursday, January 08, 2009 9:51 PM
To: openssl-users@openssl.org
Subject: TLS SSL and virtual hosts
Hi OpenSSL Users,
I am setting up an Ubuntu 8.10 LAMP server on a Linode VPS. I have an
older Ubuntu 6.10 vps set up as well that I configured with self signed
certificates and CACert. I would like to set this new server up with a
certificate from Thawte, or Verisign, et el (I'm open to suggestions)...
But, more importantly I was wondering if anyone could clarify something
for me. I am reading conflicting information with regards to ssl certs
and vhosts.
I came accross a couple "howto" articles for setting up one certificate
that will cover all virtual hosts on a web server... one static IP, one
certificate, multiple sites, lots of saved money!
One post did this using gnutls,
http://www.g-loaded.eu/2007/08/10/ssl-enabled-name-based-apache-virtual-
hosts-with-mod_gnutls/
another post using recompiled Apache and OpenSSL,
http://howtoforge.com/enable-multiple-https-sites-on-one-ip-using-tls-ex
tensions-on-debian-etch
One knowledgable person claimed that the gnutls method would hinder
performance, while a different and more recent post claimed that the
lattest gnutls is now the better way to go.
These posts are all made in 2006 - 2007, I can't find any recent howto's
or information as to whether OpenSSL or Apache still require recompiling
(I don't have any experience with that, just "apt-get install..." and
configure) or whether this can really be done effectively as the Apache
docs claim it cannot be
(http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts).
Needless to say, I am new to SSL, CA's, encryption, etc, and would like
to get some clarification on the above points. It would be terrific if
I could use one certificate for multiple hosts. I do realize that folks
with older browsers would still get a security warning, but I think the
ability to have multiple hosts under one certificate would be far more
beneficial!
Thanks in advace for the help opensslers,
Kevin
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
--
Ing. Sergio Rabellino
Università degli Studi di Torino
Dipartimento di Informatica
ICT Services Director
Tel +39-0116706701
Fax +39-011751603
C.so Svizzera , 185 - 10149 - Torino
|
