I received this response from a similar question on this forum. I wanted to know about getting a SSL Certificate on JoesFood.com and MarysClothes.com that is on the same IP address separated by virtual hosts.
They said it couldn't be done.
"Keep in mind you can only have ONE!! SSL-certificate per IP and Port combination. So if you register the SSl-cert for site1.com you can't host https site2.com on the same server. Virtual hosts don't work the same way in SSL-mode as for normal http mode (the certificate is presented by the server BEFORE the server could check for which virtual host the request should be processed)
> - Should I be getting the certificate for http://mycompaniesserver.c
get it for mycompaniesserver.com (reason above)
"
I read in an O'Reilly book that:
"In most common implementations of SSL, you are limited to one SSL host per address and port number. Thus, you either need to have a unique IP address for each SSL host or run them on alternate ports to get more than one on a particular address"
I just talked to a representative from VeriSign about this and he said that SSL has nothing to do with IP at all. He said the Certificate is just about the domain name so if I wanted to transfer one from Host A to Host B , thats fine. If I want to host Mary and Joe on the same IP and use alternate SSL Certificates, thats fine too..
So that totally contradicts what these other two resources said..
Can someone please clear this up for me??
This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.
Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.
If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.
Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.
Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.
Access the answers to your technology questions today.
30-day free trial. Register in 60 seconds.
Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.
Try it out and discover for yourself.
30-day free trial. Register in 60 seconds.
Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.
Apache still has the restriction of one certificate when using name based virtual hosting.
http://httpd.apache.org/do
The only way around it is to have a unique IP address or a unique port for each host you want to have a separate SSL certificate for.
That I am aware of you can not get a certificate for a domain name. Certificates are to verify you are talking to a specific host, not any host within a domain.
You can get a certificate for any single host name and load it into Apache. If the certificate does not match the host name the user is going to, they will get a little pop-up warning that the name on the certificate does not match the name of the host they are going to.
So you could get a certificate for "host1.mydomain.com", set that host as the default virtual host in apache.
Now anybody going "https://host1.mydomain.co
However if you have a second virtual host of host2.mydomain.com, if somebody goes "https://host2.mydomain.co
The host name on the certificate does NOT need match the host name of the server. It can, but does not need to, match at least one of the virtual host names that you are hosting in Apache.
If it does not match any of the virtual host names under Apache, then everybody that goes to any host under Apache will get the pop-up that the certificate and host name do not match.
Ignore domain names, they do not come into place.
Certificates only deal with fully qualified domain names (FQDN), that is "host.domain.tdl" or "host.subdomain.domain.tdl
One host name per certificate.
Example, say you have four "websites" you want to host:
web1.dom1.tdl
web2.dom1.tdl
web1.dom2.tdl
web2.dom2.tdl
and you want to use SSL for all of them. You can:
1) Get one certificate using one of the four names (say web1.dom1.tdl). Install it under a single Apache instance, with a single IP address for all four virtual hosts. Anybody going https://web1.dom1.tdl will never get the pop-up, everybody going to any of the other 3 hosts will get a pop-up.
2) Get one certificate for each of the four names. Install it under a single Apache instance, with a unique IP address for each virtual host (ip address based virtual hosts, not named based virtual hosts). Nobody will get the pop-up.
3) Get one certificate for each of the four names. Run 4 separate web servers on four separate boxes, no virtual hosts under Apache. Nobody will get prompted.
You cannot get a single certificate for dom1.tdl and have it work for both web1.dom1.tdl. A certificate works at the host level, not the domain level.
You you can do it by port. However that means that when a user goes to your URL instead of enter:
https://www.MarysBrownies.
https://www.MyWebsite.net
they would have to enter:
https://www.MarysBrownies.
https://www.MyWebsite.net:
In order to not get the pop-up about name mis-match on the certificate. The other problem you will encounter is firewalls. Most firewalls are configured to allow port 80 and 443 outbound, but not other ports. So if I am sitting behind a firewall and I enter:
https://www.MarysBrownies.
my firewall may block this as port 740, as it is not port 80 or 443. A lot of home/personal firewalls may NOT block this, but most corporate/business firewalls WILL block non-standard ports.
There may also be issues if somebody is sitting behind a proxy/socks servers and attempting to access http or https over a non-standard port.
If you are planning to do commercial web hosting, require SSL, and do not want the pop-up about name mismatch, then I would suggest that you get service where you have multiple IP addresses and use a unique IP address for each site that requires SSL and use virtual hosts based on IP address for the SSL sites. For the non-SSL sites you can use a single IP address and use name based virtual hosting.
Business Accounts
Answer for Membership
by: giltjrPosted on 2007-10-20 at 17:55:10ID: 20116476
At one time SSL certificates were based on the source IP address. This has changed and it now based on HOST name, notice HOST name, not domain name.
Typically you need a unique SSL certificate for each individual host. There may be something new where you can pay lots of money to get a certificate for you domain, that allows you to create your own certificates for each individual host, but a certificate is unique to a host name, not a domain name.
However, you still need to be careful. I believe that Apache can only use one certificate when doing virtual hosting, I am not sure about this. I would have to check.