On 4/24/10 4:42 PM, Wang, Mary Y wrote:
Crypto,
Thanks for the info on SNI. I'm currently running on httpd-2.0.46, therefore,
SNI support is not there. The browsers support listed on that wiki can't
support the browser versions that are offered in the company currently. The
application is running on Redhat 3.9.
Are you saying that I can request two IPs for the same server? I'd need to
contact our admin over here. I am not sure if we can request a wildcard cert
either.
If I just request another SSL cert for the second site (not doing any of
methods that you listed below), does Apache would still use the default SSL
cert for the main site? The user would still get that warning? Is that what
you are saying?
Please advise.
Mary, you've got a few options here.
1) Upgrade your server and run SNI even though most sys admins refuse to
run it. Not likely going to be your pick.
2) Add an IP number to your server and run multiple IPs, allowing you to
set up traditional IP based SSL hosting. You have to do 1 IP per SSL
cert if you do this. This is an IP on the server. So, you'll configure
the server to take an extra IP and then add the IP to the configuration
for the SSL Apache config.
3) Run a unified multi-domain SSL certificate. You'll have to buy a new
certificate from someone who sells a unified certificate. It means you
can run multiple domains on the same IP, each with different domain
names, but hosted on the same IP. Some call this a "wildcard" SSL cert.
But, typical wildcard SSL certs are meant for X.domain.com and not X.com
and Y.com. You'll want a cert where you can assign multiple domains to
the single cert.
Most host providers will sell you an IP for this purpose, if it's an
actual physical server. If it's ephemeral (cloud hosting), that's likely
not an option.
You can not run multiple domain certificates without either IP based SSL
configuration or SNI. IP based SSL certificates will apply the first
certificate it finds in the configuration. The second is an error, or
superfluous. It's actually a broken configuration and you should receive
an apachectl configtest error message if you test the configuration.
--
Jason A. Nunnelley
+1 2562971652
http://www.google.com/profiles/imjasonn
[Member Tekany, LLC]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
