LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 11-19-2007, 11:30 AM   #1
70mas
Member
 
Registered: Sep 2006
Location: Slovakia
Distribution: Debian, Gentoo
Posts: 34

Rep: Reputation: 15
VirtualHost separate SSL Certificate


Hello

I am setting up a hosting company and I have some troubles with SSL certificates.

1. Can name-based (same ip, same port) virtualhosts have their own separate ssl certificates? When I was trying to make it, all other sites had the same ssl certificate as the first in virtualhost order.

Code:
<VirtualHost *:443>
    ServerName domain1.com
    ServerAdmin admin@domain1.com
    DocumentRoot /var/www/domain1.com/htdocs
    ErrorLog /var/www/domain1.com/logs/error.log
    CustomLog /var/www/domain1.com/logs/access.log combined
    
    SSLEngine On
    SSLProtocol all -SSLv2
    SSLCertificateFile /var/www/localhost/ssl/domain1.com.cert
    SSLCertificateKeyFile /var/www/localhost/ssl/domain1.com.key
</VirtualHost>
<VirtualHost *:443>
    ServerName domain2.com
    ServerAdmin admin@domain2.com
    DocumentRoot /var/www/domain2.com/htdocs
    ErrorLog /var/www/domain2.com/logs/error.log
    CustomLog /var/www/domain2.com/logs/access.log combined
    
    SSLEngine On
    SSLProtocol all -SSLv2
    SSLCertificateFile /var/www/localhost/ssl/domain2.com.cert
    SSLCertificateKeyFile /var/www/localhost/ssl/domain2.com.key
</VirtualHost>
2. How can I generate certificates to have Issued by: Hostingcompany, Inc. and Issued for: customerdomain.com. I mean one issuer and many certificates? Will they have to have the same key?

3. How can I generate certificates automatically? I mean by supplying the data in command-line instead of entering in prompt (those Country [AU]: , Common Name [CN]: etc)? I need this to be able to issue certificates automatically for the customers when they register.

Thank u in advance.
 
Old 11-19-2007, 01:56 PM   #2
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
You cannot have multiple SSL certificates on one IP. The only way to do it would be to have apache listen for https communications on different ports, but nobody is going to accept a URL like https://anything.com:440 . This is all well documented all over the net. For each site that needs a SSL certificate, you need an IP address for just that site.

For 2 and 3, you can generate your own certificates, but everybody going to look at the sites are going to have a popup telling the user that the certificate is not from a trusted authority. In reality it is just as secure as a SSL from Verisign, Netsol, or Thawte, but they all have the extreme advantage of being automatically trusted by Microsoft and others. If you self generate the certificate, it will never be trusted, and realistically, no company is going to run e-commerce on a site that isn't trusted automatically. Trying to get SSL hosting on the cheap really isn't possible. The system was designed to show that you aren't some kid playing with a server, but an actual business, and the only way that works is if you make people pay a ton of money for the SSL certificate.

Peace,
JimBass

Last edited by JimBass; 11-19-2007 at 01:57 PM.
 
Old 11-19-2007, 04:07 PM   #3
70mas
Member
 
Registered: Sep 2006
Location: Slovakia
Distribution: Debian, Gentoo
Posts: 34

Original Poster
Rep: Reputation: 15
Well, It is bad to hear such things... Apache's configs are not very good for the certificates (or is it somehow intentionally done so?). On the other hand, it has no effect to create a connection twice as strongly crypted as my bank's internetbanking (128 vs 256 bit, real situation) if i am not trusted. It is just a way the Certifying Authorities get tons of money for just issuing some piece of file that has the same function as my own self-signed. I will make a single self-signed certificate with the name (and domain) of my company for all of my customers if it is the only way (I have a single IP with a single server and in IPv4 I can't afford separate IPs for my customers). I think people ignore those popups warning about untrusted authority - so do I But the IE7's new way of handling of self-signed certificates by displaying a security warning instead of the page irritates me a lot

Anyway, thank u for a quick and useful reply

Regards,
Tomas.
 
Old 11-19-2007, 04:43 PM   #4
JimBass
Senior Member
 
Registered: Oct 2003
Location: New York City
Distribution: Debian Sid 2.6.32
Posts: 2,100

Rep: Reputation: 48
It isn't a problem with Apache, that is the way the SSL layer of protection has been designed. SSL does not at any point check to see what site you are asking for, it simply says, "ok, you asked for a SSL connection on IP a.b.c.d, so you get this and only this certificate."

And yes, as you've noticed, you can make a "stronger" SSL connection than what you get from a trusted authority by default, but you aren't trusted. It really was designed with that in mind. I firmly believe the process was done with the idea that the cost of creating a secure site would cost too much to have hackers create fraudulent ones. With only a single public IP, you'll only be able to run one secure site. Sorry, that is the way SSL was designed.

You're welcome for my help, sorry the answer isn't what you wanted to hear.

Peace,
JimBass
 
  


Reply

Tags
apache2, openssl, ssl, vhost, virtualhost


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache2 VirtualHost and SSL Alfar Linux - Server 2 10-20-2007 01:10 AM
Apache, VirtualHost and SSL Mr_CHISOL Linux - Server 2 02-16-2007 03:59 PM
SSL & NameBased VirtualHost ?? RHrulz Linux - Networking 1 12-12-2004 05:33 PM
SSL Configuration on an Apache VirtualHost sancho5 *BSD 6 07-29-2002 08:09 AM


All times are GMT -5. The time now is 11:44 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration