[SOLVED] certificate

testy8888 · 10-08-2020, 04:30 AM

Hi,
I like to use tls for several virtualhosts.
I create a private key on that host then an csr.
I receive then a CA root signed certificate.
Then i create intermediate certificates for every virtual host.
For every virtualhost i use the same private key that i created above.right?
Can i use different private key for every virtual host?

For every host where i need a CA root signed certificate i must issue a separate csr?

TenTenths · 10-08-2020, 06:01 AM

You will need a separate CSR and certificate for every virtualhost that has a different domain name.

You can use the same private key, although I'd strongly recommend a different one for each domain name.

testy8888 · 10-08-2020, 07:34 AM

if i have 5 servers than i need 5 private keys,each server -a private key.right?

You can use the same private key, although I'd strongly recommend a different one for each domain name.
it mean that i create for every domain name that is served by a certain virtual host a separate private key.right?
i.e. www.test1.com served by virthost1 and www.test2.com served by virtual host 2 on the same physical server,will have each an private key.

TenTenths · 10-08-2020, 07:52 AM

Quote:

Originally Posted by testy8888

if i have 5 servers than i need 5 private keys,each server -a private key.right?

You are best to use a different private key for each domain name. If you have 5 physical servers for each domain name you can use the same private key on each of the physical servers.

Quote:

Originally Posted by testy8888

it mean that i create for every domain name that is served by a certain virtual host a separate private key.right?
i.e. www.test1.com served by virthost1 and www.test2.com served by virtual host 2 on the same physical server,will have each an private key.

Yes.

You can use https://letsencrypt.org/ for free certs, if you use their recommended "certbot" it will handle creation of the private keys for you and is well documented.

testy8888 · 10-09-2020, 04:01 AM

Let`s say that an application is behind an apache server and apache is configured with tls traffic->there is an certificate and a private key.
when using - browser to access that application,the traffic will be encrypted between the browser and the application.right?
The application takes advantage of apache configured for tls.

TenTenths · 10-09-2020, 04:45 AM

Quote:

Originally Posted by testy8888

Let`s say that an application is behind an apache server and apache is configured with tls traffic->there is an certificate and a private key.
when using - browser to access that application,the traffic will be encrypted between the browser and the application.right?

The traffic is encrypted between the browser and apache, you don't provide enough detail about your application to provide you more information.

Examples:
1) A forum website could be considered an "application", phpMyAdmin could be considered an "application", in these cases the website code is being executed by apache so all traffic between the browser and the application would be encrypted.

2) Apache acts as a reverse proxy / front end, passing traffic to some other process on the server. In this case the traffic between the browser and apache would be encrypted using the cert/key pair above, however the traffic between apache and the other process may not necessarily be encrypted. A (partial) example of where apache does the TLS termination but passes on the traffic unencrypted is shown below:

Code:

<VirtualHost _default_:443>
  ProxyPreserveHost On
  ProxyRequests Off
  ServerName somehost.example.com
  ProxyPass / http://localhost:8000/
  ProxyPassReverse / http://localhost:8000/
...

So without knowing what you actually mean by "application" it's impossible to say where encryption will end.