One SSL Certificate per IP?? Are you sure??
I received this response from a similar question on this forum. I wanted to know about getting a SSL Certificate on JoesFood.com and MarysClothes.com that is on the same IP address separated by virtual hosts.
They said it couldn't be done.
"Keep in mind you can only have ONE!! SSL-certificate per IP and Port combination. So if you register the SSl-cert for site1.com you can't host https site2.com on the same server. Virtual hosts don't work the same way in SSL-mode as for normal http mode (the certificate is presented by the server BEFORE the server could check for which virtual host the request should be processed)
> - Should I be getting the certificate for http://mycompaniesserver.com/ or for the domain name that is going to be using it?
get it for mycompaniesserver.com (reason above)
"
I read in an O'Reilly book that:
"In most common implementations of SSL, you are limited to one SSL host per address and port number. Thus, you either need to have a unique IP address for each SSL host or run them on alternate ports to get more than one on a particular address"
I just talked to a representative from VeriSign about this and he said that SSL has nothing to do with IP at all. He said the Certificate is just about the domain name so if I wanted to transfer one from Host A to Host B , thats fine. If I want to host Mary and Joe on the same IP and use alternate SSL Certificates, thats fine too..
So that totally contradicts what these other two resources said..
Can someone please clear this up for me??
They said it couldn't be done.
"Keep in mind you can only have ONE!! SSL-certificate per IP and Port combination. So if you register the SSl-cert for site1.com you can't host https site2.com on the same server. Virtual hosts don't work the same way in SSL-mode as for normal http mode (the certificate is presented by the server BEFORE the server could check for which virtual host the request should be processed)
> - Should I be getting the certificate for http://mycompaniesserver.com/ or for the domain name that is going to be using it?
get it for mycompaniesserver.com (reason above)
"
I read in an O'Reilly book that:
"In most common implementations of SSL, you are limited to one SSL host per address and port number. Thus, you either need to have a unique IP address for each SSL host or run them on alternate ports to get more than one on a particular address"
I just talked to a representative from VeriSign about this and he said that SSL has nothing to do with IP at all. He said the Certificate is just about the domain name so if I wanted to transfer one from Host A to Host B , thats fine. If I want to host Mary and Joe on the same IP and use alternate SSL Certificates, thats fine too..
So that totally contradicts what these other two resources said..
Can someone please clear this up for me??
Apache still has the restriction of one certificate when using name based virtual hosting.
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
The only way around it is to have a unique IP address or a unique port for each host you want to have a separate SSL certificate for.
http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#vhosts
The only way around it is to have a unique IP address or a unique port for each host you want to have a separate SSL certificate for.
ASKER
well when you use the
SSLEngine on
and locate the certificate file, cant you just link it to a different one?
SSLEngine on
and locate the certificate file, cant you just link it to a different one?
No. If you read the link I provide you will see that SSL negotiation takes place before any host name is passed to the server.
So if you are using 1 IP address, and two virtual hosts, there is no way to know which host you want to connect to until after the SSL process has taken place.
So if you are using 1 IP address, and two virtual hosts, there is no way to know which host you want to connect to until after the SSL process has taken place.
ASKER
When I go to my SSL now it tells me it's a certificate for..
u15261991.onlinehome-serve
Do I HAVE to get a certificate for that.. or can I get it for a domain name?
u15261991.onlinehome-serve
Do I HAVE to get a certificate for that.. or can I get it for a domain name?
That I am aware of you can not get a certificate for a domain name. Certificates are to verify you are talking to a specific host, not any host within a domain.
You can get a certificate for any single host name and load it into Apache. If the certificate does not match the host name the user is going to, they will get a little pop-up warning that the name on the certificate does not match the name of the host they are going to.
So you could get a certificate for "host1.mydomain.com", set that host as the default virtual host in apache.
Now anybody going "https://host1.mydomain.com" will connect without any pop-ups.
However if you have a second virtual host of host2.mydomain.com, if somebody goes "https://host2.mydomain.com" they will get a pop-up stating that the name on the certificate does not match the name of the host they are going to and they will need to click on a box that says they want to accept the certificate to allow them to connect using SSL.
The host name on the certificate does NOT need match the host name of the server. It can, but does not need to, match at least one of the virtual host names that you are hosting in Apache.
If it does not match any of the virtual host names under Apache, then everybody that goes to any host under Apache will get the pop-up that the certificate and host name do not match.
You can get a certificate for any single host name and load it into Apache. If the certificate does not match the host name the user is going to, they will get a little pop-up warning that the name on the certificate does not match the name of the host they are going to.
So you could get a certificate for "host1.mydomain.com", set that host as the default virtual host in apache.
Now anybody going "https://host1.mydomain.com" will connect without any pop-ups.
However if you have a second virtual host of host2.mydomain.com, if somebody goes "https://host2.mydomain.com" they will get a pop-up stating that the name on the certificate does not match the name of the host they are going to and they will need to click on a box that says they want to accept the certificate to allow them to connect using SSL.
The host name on the certificate does NOT need match the host name of the server. It can, but does not need to, match at least one of the virtual host names that you are hosting in Apache.
If it does not match any of the virtual host names under Apache, then everybody that goes to any host under Apache will get the pop-up that the certificate and host name do not match.
ASKER
So like on the example I posted.. the Domain name , not virtual host, is seesaw-server.net but the certificate still states the u130213.onlinehome-server.
Can you list multiple virtual hosts on a certificate so that it won't pop-up for multiple virtual hosts.
Can you list multiple virtual hosts on a certificate so that it won't pop-up for multiple virtual hosts.
Ignore domain names, they do not come into place.
Certificates only deal with fully qualified domain names (FQDN), that is "host.domain.tdl" or "host.subdomain.domain.tdl
One host name per certificate.
Example, say you have four "websites" you want to host:
web1.dom1.tdl
web2.dom1.tdl
web1.dom2.tdl
web2.dom2.tdl
and you want to use SSL for all of them. You can:
1) Get one certificate using one of the four names (say web1.dom1.tdl). Install it under a single Apache instance, with a single IP address for all four virtual hosts. Anybody going https://web1.dom1.tdl will never get the pop-up, everybody going to any of the other 3 hosts will get a pop-up.
2) Get one certificate for each of the four names. Install it under a single Apache instance, with a unique IP address for each virtual host (ip address based virtual hosts, not named based virtual hosts). Nobody will get the pop-up.
3) Get one certificate for each of the four names. Run 4 separate web servers on four separate boxes, no virtual hosts under Apache. Nobody will get prompted.
You cannot get a single certificate for dom1.tdl and have it work for both web1.dom1.tdl. A certificate works at the host level, not the domain level.
Certificates only deal with fully qualified domain names (FQDN), that is "host.domain.tdl" or "host.subdomain.domain.tdl
One host name per certificate.
Example, say you have four "websites" you want to host:
web1.dom1.tdl
web2.dom1.tdl
web1.dom2.tdl
web2.dom2.tdl
and you want to use SSL for all of them. You can:
1) Get one certificate using one of the four names (say web1.dom1.tdl). Install it under a single Apache instance, with a single IP address for all four virtual hosts. Anybody going https://web1.dom1.tdl will never get the pop-up, everybody going to any of the other 3 hosts will get a pop-up.
2) Get one certificate for each of the four names. Install it under a single Apache instance, with a unique IP address for each virtual host (ip address based virtual hosts, not named based virtual hosts). Nobody will get the pop-up.
3) Get one certificate for each of the four names. Run 4 separate web servers on four separate boxes, no virtual hosts under Apache. Nobody will get prompted.
You cannot get a single certificate for dom1.tdl and have it work for both web1.dom1.tdl. A certificate works at the host level, not the domain level.
ASKER
I actually read in an O'Reilly Apache book that you can get them assigned per Port/Single IP.
JohnsCookies.com:443 = SSL 1
MarysBrownies.com:740 = SSL 2
MyWebsite.net:535 = SSL 3
Then redirect the SSL Certificate location in each virtual host.
JohnsCookies.com:443 = SSL 1
MarysBrownies.com:740 = SSL 2
MyWebsite.net:535 = SSL 3
Then redirect the SSL Certificate location in each virtual host.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Explained very nicely.
Typically you need a unique SSL certificate for each individual host. There may be something new where you can pay lots of money to get a certificate for you domain, that allows you to create your own certificates for each individual host, but a certificate is unique to a host name, not a domain name.
However, you still need to be careful. I believe that Apache can only use one certificate when doing virtual hosting, I am not sure about this. I would have to check.