Hello

I am setting up a hosting company and I have some troubles with SSL certificates.

1. Can name-based (same ip, same port) virtualhosts have their own separate ssl certificates? When I was trying to make it, all other sites had the same ssl certificate as the first in virtualhost order.

2. How can I generate certificates to have Issued by: Hostingcompany, Inc. and Issued for: customerdomain.com. I mean one issuer and many certificates? Will they have to have the same key?

3. How can I generate certificates automatically? I mean by supplying the data in command-line instead of entering in prompt (those Country [AU]: , Common Name [CN]: etc)? I need this to be able to issue certificates automatically for the customers when they register.

Thank u in advance.

You cannot have multiple SSL certificates on one IP. The only way to do it would be to have apache listen for https communications on different ports, but nobody is going to accept a URL like https://anything.com:440 . This is all well documented all over the net. For each site that needs a SSL certificate, you need an IP address for just that site.

For 2 and 3, you can generate your own certificates, but everybody going to look at the sites are going to have a popup telling the user that the certificate is not from a trusted authority. In reality it is just as secure as a SSL from Verisign, Netsol, or Thawte, but they all have the extreme advantage of being automatically trusted by Microsoft and others. If you self generate the certificate, it will never be trusted, and realistically, no company is going to run e-commerce on a site that isn't trusted automatically. Trying to get SSL hosting on the cheap really isn't possible. The system was designed to show that you aren't some kid playing with a server, but an actual business, and the only way that works is if you make people pay a ton of money for the SSL certificate.

Peace,
JimBass

Well, It is bad to hear such things... Apache's configs are not very good for the certificates (or is it somehow intentionally done so?). On the other hand, it has no effect to create a connection twice as strongly crypted as my bank's internetbanking (128 vs 256 bit, real situation) if i am not trusted. It is just a way the Certifying Authorities get tons of money for just issuing some piece of file that has the same function as my own self-signed. I will make a single self-signed certificate with the name (and domain) of my company for all of my customers if it is the only way (I have a single IP with a single server and in IPv4 I can't afford separate IPs for my customers). I think people ignore those popups warning about untrusted authority - so do I But the IE7's new way of handling of self-signed certificates by displaying a security warning instead of the page irritates me a lot

Anyway, thank u for a quick and useful reply

Regards,
Tomas.

It isn't a problem with Apache, that is the way the SSL layer of protection has been designed. SSL does not at any point check to see what site you are asking for, it simply says, "ok, you asked for a SSL connection on IP a.b.c.d, so you get this and only this certificate."

And yes, as you've noticed, you can make a "stronger" SSL connection than what you get from a trusted authority by default, but you aren't trusted. It really was designed with that in mind. I firmly believe the process was done with the idea that the cost of creating a secure site would cost too much to have hackers create fraudulent ones. With only a single public IP, you'll only be able to run one secure site. Sorry, that is the way SSL was designed.

You're welcome for my help, sorry the answer isn't what you wanted to hear.

Peace,
JimBass