I have many domains in one machine (virtual hosts) and one required SSL.
I got my cert from Thawte.

As I link to my cert via ssl.conf, if I were to need SSL for my other domains, how should I do it? I read somewhere that it can't be done for cert from CAs, but self-signed possible.. anyone?

I link to my ssl via ssl.conf under the option SSLCertificateFile.
I commented the default one (server.key) and linked to mine own one (domainname.com.key)

please advice

You can have multiple certs, you need a separate IP address for each website and then in httpd.conf you can set up IP-based virtual hosts. Name based birtual hosts will not work with the secure protocol

Currently I am having 1 physical machine with many virtual host: that is consider named-based hosting with virtual host is it? not sure if the terminology used is right here...

So basically.. means I can't? Trying to find proper documentation to show my superior on this... only found one out dated one that talks about it

You can have many IP addresses point to your physical machine. My ISP have assigned me a block of 8 IPs that all point to my router for example. If you only have the 1 IP then you are stuck with namebased virtual hosting and can't have multiple secure virtual hosts on your machine.

IP based virtual hosts is where apache decides which wesbite to serve dependant on which IP the browser used to access the site.

Name based virtual hosts is where apache decides which website to serve dependant on the actual domain specified in the address bar of the browser, this only works with the newer http/1.1 version, which most browsers support anyway. Normally in this case all domains hosted on the server have A records pointing to the same IP

if say I can achieve/get multiple IPs for my one server, how do I set my ssl.conf to use the multipe cert/keys?

currently i point SSLCertificateFile to the one i have... and the SSLCertificateKey to the key...

when i try to add a second line to add the default server.key httpd can't start..

please advise

You'll find a section in ssl.conf if using apache2 or at the bottom of httpd.conf if using apache1.3 like:
Copy and paste the whole section and for the second change the options to point to the new certificates and wesbite content, for both virtual hosts change _default_ in the line <VirtualHost _default_:443> to one of your allocated IPs and check in httpd.conf that apache is listening on all IPs and restricted to 1.

oooh so 2 sets of options for 2 host with different IPs?

then whats the diff if i specify the .key and .crt in this ssl.conf, as compared to specifiying it in httpd.conf?

Mine current config is such that... in httpd.conf for one of the virtual host...
In ssl.conf I have 3 lines that I changed...

1) SSL Engine is off in httpd.conf, ssl still works somehow??

2) I point directly to the document root, sslcert and sslkey... correct? because httpd.conf i specify also... double job? Initialy I had problem with ssl as i configure httpd.conf only, but after i configure ssl.conf it works. seems like configuring in httpd.conf don make any effect?

and it was through configuring this i realise... works only for one virutal host...

3) my cert is www2.domain.com.sg, as i was told must be same name as domain, but if i have a different alias as in this case www.domain.com, how? will it still work?

4) SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
what does it mean?

5) so must these settings be same for ssl.conf and httpd.conf ??

thanks

no, if you have a ssl.conf file then put all your configuration in there, in httpd.conf it will include the file ssl.conf, only in earlier versions of apache you didn't get a ssl.conf, everything was put into httpd.conf. Just to make myself clear if there is a ssl.conf file then put everything to do with ssl in that and not httpd.conf.

If you have an alias and set it up correctly it should go to the right site but you will get an error similar to this image. I'll leave that image on my server for a couple of days only.

I'm not entirely sure what the line in 4 does, alls I know it is required for internet explorer, its due to a bug or incompatability with Microsoft's browser, I'm not sure which

And to reiterate, since you asked again, the ssl options only go in one of the config files, and only httpd.conf if and only if ssl.conf doesn't exist

Hi saw the image.. meaning to say.. i can't have the ssl cert work for both the actual domain and the alias name? or is there a way around it?

ok, i am using apache2...

hmm so saying that.. the DocumentRoot in ssl.conf will supercede the DocumentRoot in httpd.conf for the name-based virtual host that is ssl-enabled?
Meaning to say, whatever I do in httpd.conf for this virtual host (DocumentRoot, SSLCertificateFile, SSLCertificateKeyFile), as long as I specify it in ssl.conf it will take effect from there?

Same goes for SSLEngine On/Off ?

thanks dude!

I certificate is only good for one domain, if you set an alias then try and connect with that alias you will get the message in the link, it doesn't mean that the actual connection is any less secure though, it means that you are connecting to one host but the certificate is for another host. There is no way around this. For every hostname/domain you need a separate cert and and a IP dedicated to that domain.

ssl.conf is included in httpd.conf, see the end of section2 of httpd.conf. You don't want to be setting one host in ssl.conf and the same host in httpd.conf, that will just lead to unpredictable results, well maybe not unpredictable but I don't know which one apache will use, the first settings or the last.

In the earlier 1.3 series of apache there wasn't an ssl.conf, it was all appended to httpd.conf.

Keep all the ssl stuff in ssl.conf and keep the global configuration and virtual hosts (name or IP based) for normal connections (port 80) in httpd.conf

Because I was following a document to specify <IfDefine_HAVESSL> in httpd where i set the virtual host... so your recommendation is that I ignore it totally, and just leave everything (virtual host settings) as it is, and not put

- SSLEngine On
- SSLCertificateFile
- SSLCertificateKeyFile
- SetEnvIf User-Agent

if i just have the standard <VirtualHost></VirtualHost> without defining SSL, will the https connection to the particular domain still work?

For the last one, without it in the virtual host area, site won't work in IE...
the SSLEngine... doesn't make any difference...

SSLCertificateFile and SSLCertificateKeyFile

there?

Or I still need it to be there?

For document root, i think i will leave it at the virtual host settings as you mentioned.

Follow the guide you have but instead of editing httpd.conf, edit ssl.conf - you will find all the defaults have been set in there and you can change them to suit your particular environment. It seems with the newest versions of apache they want to separate the ssl config from the rest of the configuration

What about SSLEngine On/Off?
And do I still need to define another similiar set of virtual host settings with addiditonal <IfDefine_HAVESSL></IfDefine> tags?

thanks dude, you've been great help!

been doing some testing (as I am trying to get the ssl site to work via a load balancer - headache... but fun at the same time)

just did some test and have some thoughts. am i right to say.. if i already have a <Virtualhost> setting for a particular domain, and I want it to have SSL connectivity, i can ignore adding another <VirtualHost> settings with the <IfDefine_HAVESSL> settings? As long as in ssl.conf i point:

- DocumentRoot
- SSLCertificateFile
- SSLCertificateKeyFile....

correctly, it will automatically allow the SSL connection? No need to create an extra virtual host tage just for port 443 and ssl blah blah?


And if say, I want to allow multiple named based virtual host to have SSL (but only 1 IP - yeah shitty huh), I can spoof it by creating another <virtualhost> in ssl.conf but use another port.. say.. port 444... will it work? if the links are given such as https://domainwithssl.com:444

thanks people!

SSLEngine On/Off should be in ssl.conf

<If Define SSL> bit tells apache to only use these options if you have issued a `httpd startssl` rather than just `httpd start`, you still need the virtual host bit.

Yes you can have different secure sites on different ports with the same IP, but only 1 secure site per port.