Multiple SSL Certificate on Apache

apache-2.2 ssl ssl-certificate

I know that you need multiple IP addresses if you want to use multiple SSL certificate with Apache. Assuming I have 2 IPs on my VPS (let's name them 1.1.1.1 and 2.2.2.2), I was wondering if the following setup is possible:

domain1.com would be on 1.1.1.1 and use a signed SSL certificate (from a provider like Verisign)

domain2.com, domain3.com, .. would be on 2.2.2.2 and share a self-signed certificate...

In other words, one domain needs its own signed certificate because it has to process financial transaction etc..so it will be "alone" on the first IP.. Other domain(s) only need a self signed certificate since it's only for their admin areas and I don't mind the warning(s), so they would all be on the second IP

Is such a setup possible? If so, any examples of what the virtual host config would look like?

Any help would be appreciated!


Solution 1:

It's pretty simple to have a different cert for a different IP address; just put the SSL cert stuff inside the virtualhosts for each.

Having multiple virtualhosts on a single IP won't really work at this point. There's some technologies that might work for that down the road, but the user population isn't running browsers that can do it. The user agent (browser) establishes an SSL connection and verifies the SSL connection before telling the server what host it's connecting to. You really need a separate IP for each SSL virtualhost.

<VirtualHost 1.1.1.1:443>
        ServerName foo
        DocumentRoot /var/www/foo
        CustomLog /var/log/httpd/foo.ssl_access_log combined
        ErrorLog /var/log/httpd/foo.ssl_error_log

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/foo.crt
        SSLCertificateKeyFile /etc/pki/tls/private/foo.key
</VirtualHost>

<VirtualHost 2.2.2.2:443>
        ServerName bar
        DocumentRoot /var/www/bar
        CustomLog /var/log/httpd/bar.ssl_access_log combined
        ErrorLog /var/log/httpd/bar.ssl_error_log

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/bar.crt
        SSLCertificateKeyFile /etc/pki/tls/private/bar.key
</VirtualHost>

Solution 2:

As freiheit already mentioned, there is a new way, to setup vhosts with different ssl
certificates on a single ip. But the support from the client-side is still incomplete.

Its called SNI (Server Name Indication) and it's worth a read.

Best regards...

Related

Patching AIX systems - patches are where? how to apply?
Which is best or good book or tutorial to understand linux file or directory structure
How can I create a Single-purpose keys (ssh) for use with scp?
Audit CPU and memory usage for cron jobs
Restore DB2 database
Are "unexportable" certificates a real security measure or just security theater?
Move VMware Server 2.0 Image to ESXi
Running gdb on Ubuntu 9.10 Apache2 Install
Bash Scripting: Parse File Contents Into Array
Linux or OS X Server?
wildcard ssl certificate - exchange 2010 - POP/IMAP problem
Syslog-ng: how to log severity/facility?