From: K P. <nnt...@gm...> - 2010-05-29 15:27:36
|
First, appologies to all on this ASSP list. This is not an ASSP conceptthat we're discussing, it's absolutely off topic and related to the Apache web server (which ASSP doesn't use). Charles, take a step back and take a breath. I've been reading with close attention since the begging. I keep saying the same thing: 1) We are using an Aapache webserver with a single IP address 2) We are running multiple named based virtual servers on this server, three of which use SSL 3) We are using certificates issued by a commercial CA. They are NOT self signed. I will reply to your comments and questions inline below: > So you're using a single self-signed cert with multiple names - or, if > you're using separate certs for each site, then I'd like to know how > you're accomplishing that, because everything I've ever found on doing > this says you have to use a single cert with multiple hostnames, which > means a self-signed cert (unless you want to spend huge bucks - if you > can even buy these, I've never checked). > No, we're using several commercially issued certificates, one for each virtual server. We also could have accomplished this by purchasing a wildcard certificate has the base domain name is the same (which it's not). Google's your friend here, but it's not a complicated process. It's no different from requesting a single certificate, except you run through the process three times. In our case, we requested one certificate for each of one.domain.org, two.domain2.org and three.domain3.org. Here's an example httpd.conf framework: NameVirtualHost *:443 <VirtualHost *:443> DocumentRoot "[one root]" ServerName one.domain1.org SSLEngine on SSLCertificateFile "[location]/one.domain1.org.crt" SSLCertificateKeyFile "[location]/one.domain1.org.key" ... </VirtualHost> <VirtualHost *:443> DocumentRoot "[two root]" ServerName two.domain2.org SSLEngine on SSLCertificateFile "[location]/two.domain2.org.crt" SSLCertificateKeyFile "[location]/two.domain2.org.key" ... </VirtualHost> # two more servers on domain3 using the SAME wildcard certificate <VirtualHost *:443> DocumentRoot "[wild1 root]" ServerName wild1.domain3.org SSLEngine on SSLCertificateFile "[location]/wildcard.domain3.org.crt" SSLCertificateKeyFile "[location]/wildcard.domain3.org.key" ... </VirtualHost> # two more servers on domain3 using the SAME wildcard certificate <VirtualHost *:443> DocumentRoot "[wild2 root]" ServerName wild2.domain3.org # <---- a different name from the one above, but the certs are the same SSLEngine on SSLCertificateFile "[location]/wildcard.domain3.org.crt" SSLCertificateKeyFile "[location]/wildcard.domain3.org.key" ... </VirtualHost> > > >> I guess it would help if you wouldn't enter a thread half-way > >> without reading the previous posts. > > > Feeling a little pissy are we? I entered this thread as the 4th > > post, the one immediately following your initial post. You must have > > me confused with someone else. > > Possibly - it just didn't sound like you'd been reading from the > beginning. I hate repeating myself and have been multiple times during > this thread, so yeah, I get pissy when I have to do that. > Saying the SSL Auth aspect over and over, including after I've said we're using commercially issued certificates leads me to ask the SAME QUESTION to you, what's the issue? > > > You're repeatedly said that there's an issue with the "auth aspect" > > doing a single IP and named virtual servers with apache. > > Well, in my initial comment I did leave out one other (seemingly > obvious) aspect - the only way to use name based virtual hosts on a > single IP is with a single cert with multiple names - which means a > self-signed cert - and it is this that causes you to lose the auth > aspect to SSL (no way to prove you are who you claim to be). > And that's simply not true. I don't know where you're getting your information, but it's wrong. |