Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I am setting up a hosting company and I have some troubles with SSL certificates.
1. Can name-based (same ip, same port) virtualhosts have their own separate ssl certificates? When I was trying to make it, all other sites had the same ssl certificate as the first in virtualhost order.
2. How can I generate certificates to have Issued by: Hostingcompany, Inc. and Issued for: customerdomain.com. I mean one issuer and many certificates? Will they have to have the same key?
3. How can I generate certificates automatically? I mean by supplying the data in command-line instead of entering in prompt (those Country [AU]: , Common Name [CN]: etc)? I need this to be able to issue certificates automatically for the customers when they register.
You cannot have multiple SSL certificates on one IP. The only way to do it would be to have apache listen for https communications on different ports, but nobody is going to accept a URL like https://anything.com:440 . This is all well documented all over the net. For each site that needs a SSL certificate, you need an IP address for just that site.
For 2 and 3, you can generate your own certificates, but everybody going to look at the sites are going to have a popup telling the user that the certificate is not from a trusted authority. In reality it is just as secure as a SSL from Verisign, Netsol, or Thawte, but they all have the extreme advantage of being automatically trusted by Microsoft and others. If you self generate the certificate, it will never be trusted, and realistically, no company is going to run e-commerce on a site that isn't trusted automatically. Trying to get SSL hosting on the cheap really isn't possible. The system was designed to show that you aren't some kid playing with a server, but an actual business, and the only way that works is if you make people pay a ton of money for the SSL certificate.
Well, It is bad to hear such things... Apache's configs are not very good for the certificates (or is it somehow intentionally done so?). On the other hand, it has no effect to create a connection twice as strongly crypted as my bank's internetbanking (128 vs 256 bit, real situation) if i am not trusted. It is just a way the Certifying Authorities get tons of money for just issuing some piece of file that has the same function as my own self-signed. I will make a single self-signed certificate with the name (and domain) of my company for all of my customers if it is the only way (I have a single IP with a single server and in IPv4 I can't afford separate IPs for my customers). I think people ignore those popups warning about untrusted authority - so do I But the IE7's new way of handling of self-signed certificates by displaying a security warning instead of the page irritates me a lot
It isn't a problem with Apache, that is the way the SSL layer of protection has been designed. SSL does not at any point check to see what site you are asking for, it simply says, "ok, you asked for a SSL connection on IP a.b.c.d, so you get this and only this certificate."
And yes, as you've noticed, you can make a "stronger" SSL connection than what you get from a trusted authority by default, but you aren't trusted. It really was designed with that in mind. I firmly believe the process was done with the idea that the cost of creating a secure site would cost too much to have hackers create fraudulent ones. With only a single public IP, you'll only be able to run one secure site. Sorry, that is the way SSL was designed.
You're welcome for my help, sorry the answer isn't what you wanted to hear.