?
Solved

One SSL Certificate per IP?? Are you sure??

Posted on 2007-10-20
11
Medium Priority
?
7,890 Views
Last Modified: 2013-11-18
I received this response from a similar question on this forum. I wanted to know about getting a SSL Certificate on JoesFood.com and MarysClothes.com that is on the same IP address separated by virtual hosts.
They said it couldn't be done.

"Keep in mind you can only have ONE!! SSL-certificate per IP and Port combination. So if you register the SSl-cert for site1.com you can't host https site2.com on the same server. Virtual hosts don't work the same way in SSL-mode as for normal http mode (the certificate is presented by the server BEFORE the server could check for which virtual host the request should be processed)

>  - Should I be getting the certificate for http://mycompaniesserver.com/  or for the domain name that is going to be using it?
get it for mycompaniesserver.com (reason above)
"


I read in an O'Reilly book that:

"In most common implementations of SSL, you are limited to one SSL host per address and port number. Thus, you either need to have a unique IP address for each SSL host or run them on alternate ports to get more than one on a particular address"


I just talked to a representative from VeriSign about this and he said that SSL has nothing to do with IP at all. He said the Certificate is just about the domain name so if I wanted to transfer one from Host A to Host B , thats fine. If I want to host Mary and Joe on the same IP and use alternate SSL Certificates, thats fine too..

So that totally contradicts what these other two resources said..



Can someone please clear this up for me??
0
Comment
Question by:MattKenefick
  • 6
  • 5
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 20116476
At one time SSL certificates were based on the source IP address. This has changed and it now based on HOST name, notice HOST name, not domain name.

Typically you need a unique SSL certificate for each individual host.  There may be something new where you can pay lots of money to get a certificate for you domain, that allows you to create your own certificates for each individual host, but a certificate is unique to a host name, not a domain name.

However, you still need to be careful.  I believe that Apache can only use one certificate when doing virtual hosting, I am not sure about this.  I would have to check.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20116577
Apache still has the restriction of one certificate when using name based virtual hosting.

    http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts

The only way around it is to have a unique IP address or a unique port for each host you want to have a separate SSL certificate for.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 20116611
well when you use the
SSLEngine on
and locate the certificate file, cant you just link it to a different one?
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 57

Expert Comment

by:giltjr
ID: 20116707
No.  If you read the link I provide you will see that SSL negotiation takes place before any host name is passed to the server.

So if you are using 1 IP address, and two virtual hosts, there is no way to know which host you want to connect to until after the SSL process has taken place.
0
 
LVL 4

Author Comment

by:MattKenefick
ID: 20122927
When I go to my SSL now it tells me it's a certificate for..

u15261991.onlinehome-server.com

Do I HAVE to get a certificate for that.. or can I get it for a domain name?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20123987
That I am aware of you can not get a certificate for a domain name.  Certificates are to verify you are talking to a specific host, not any host within a domain.

You can get a certificate for any single host name and load it into Apache.  If the certificate does not match the host name the user is going to, they will get a little pop-up warning that the name on the certificate does not match the name of the host they are going to.

So you could get a certificate for "host1.mydomain.com", set that host as the default virtual host in apache.

Now anybody going "https://host1.mydomain.com" will connect without any pop-ups.

However if you have a second virtual host of host2.mydomain.com, if somebody goes "https://host2.mydomain.com" they will get a pop-up stating that the name on the certificate does not match the name of the host they are going to and they will need to click on a box that says they want to accept the certificate to allow them to connect using SSL.

The host name on the certificate does NOT need match the host name of the server.  It can, but does not need to, match at least one of the virtual host names that you are hosting in Apache.

If it does not match any of the virtual host names under Apache, then everybody that goes to any host under Apache will get the pop-up that the certificate and host name do not match.

0
 
LVL 4

Author Comment

by:MattKenefick
ID: 20126014
So like on the example I posted.. the Domain name , not virtual host, is seesaw-server.net but the certificate still states the u130213.onlinehome-server.com.

Can you list multiple virtual hosts on a certificate so that it won't pop-up for multiple virtual hosts.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20126263
Ignore domain names, they do not come into place.  

Certificates only deal with fully qualified domain names (FQDN), that is "host.domain.tdl" or "host.subdomain.domain.tdl"


One host name per certificate.

Example, say you have four "websites" you want to host:

     web1.dom1.tdl
     web2.dom1.tdl
     web1.dom2.tdl
     web2.dom2.tdl

and you want to use SSL for all of them.  You can:

1) Get one certificate using one of the four names (say web1.dom1.tdl).  Install it under a single Apache instance, with a single IP address for all four virtual hosts.  Anybody going https://web1.dom1.tdl will never get the pop-up,  everybody going to any of the other 3 hosts will get a pop-up.

2) Get one certificate for each of the four names.  Install it under a single Apache instance, with a unique IP address for each virtual host (ip address based virtual hosts, not named based virtual hosts).   Nobody will get the pop-up.

3) Get one certificate for each of the four names.  Run 4 separate web servers on four separate boxes, no virtual hosts under Apache.  Nobody will get prompted.

You cannot  get a single certificate for dom1.tdl and have it work for both web1.dom1.tdl.  A certificate works at the host level, not the domain level.

0
 
LVL 4

Author Comment

by:MattKenefick
ID: 20128219
I actually read in an O'Reilly Apache book that you can get them assigned per Port/Single IP.

JohnsCookies.com:443 = SSL 1
MarysBrownies.com:740 = SSL 2
MyWebsite.net:535 = SSL 3

Then redirect the SSL Certificate location in each virtual host.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 2000 total points
ID: 20128352
You you can do it by port.  However that means that when a user goes to your URL instead of enter:

   https://www.MarysBrownies.com
   https://www.MyWebsite.net

they would have to enter:

   https://www.MarysBrownies.com:740
   https://www.MyWebsite.net:535

In order to not get the pop-up about name mis-match on the certificate.  The other problem you will encounter is firewalls.  Most firewalls are configured to allow port 80 and 443 outbound, but not other ports.  So if I am sitting behind a firewall and I enter:

     https://www.MarysBrownies.com:740

my firewall may block this as port 740, as it is not port 80 or 443.   A lot of home/personal firewalls may NOT block this, but most corporate/business firewalls WILL block non-standard ports.  

There may also be issues if somebody is sitting behind a proxy/socks servers and attempting to access http or https over a non-standard port.

If you are planning to do commercial web hosting, require SSL, and do not want the pop-up about name mismatch, then I would suggest that you get service where you have multiple IP addresses and use a unique IP address for each site that requires SSL and use virtual hosts based on IP address for the SSL sites.  For the non-SSL sites you can use a single IP address and use name based virtual hosting.

0
 
LVL 4

Author Closing Comment

by:MattKenefick
ID: 31408252
Explained very nicely.
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article was initially published on Monitis Blog, you can read it here . When it comes to deciding which approach to website performance monitoring is best for your business, unfortunately, like so many options in life . . . it depends. In th…
WooCommerce is becoming the most powerful e-commerce plugin for Wordpress. And why not. The platform comprises of numerous core plugins that may come in handy, powerful options to make your website development task much easier.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question