Re: Multiple domains on https (apache)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Mark wrote: 
I have posted a related question 2 weeks ago or so, now I wanted to actually try this...

I have 2 domains running on the same apache server (Version 2.0.50 from Fedora Core 1) with mod_ssl.
I have 2 certificates, one for each domain.
I set up the domains with the SSL configuration directives in each <VirtualHost>.
The problem is, apache (or mod_ssl?) uses the first certificate for both domains/virtual hosts (or probably all 10 if I had that
many).
Is this normal or is there something wrong???


Mark,

This is normal, and there were some discussions in replies you already got why this is normal.

Here are some workarounds that may or may not be applicable to your case.

If you are using self-signed certificates, or if you are running your own CA, than one option could be to use one certificate instead of two. For common name (CN) in certificate, place main name of your web server. Than in x509v3 extensions section, place something like this:

subjectAltName: DNS:www.domain1.com,DNS:www.domain2.com,IP:1.2.3.4

You can place as many DNS names and/or IP addresses inside as you wish. Browsers (at least couple of browsers that I tested) will consider certificate to be valid if CN or any of the names in subjectAltName matches the host name in URL. Some will even consider it to be valid if DNS lookup of www.domain1.com or www.domain2.com resolves to the IP address specified in subjectAltName.

I encurage you to test and see if this approach works for all web browsers you will be using (or expect visitors of your web site will be using), before jumping head first into implementing this solution.

If you need to have certificate signed by "well known" CA (definition of "well known" is that its root certificate is distributed with major web browsers), you'll have to find one that will be willing to sell you such certificate. Most sell one certificate per domain only, or charge fortune for something called "wildcard certificate" (certificate that has "wildcard" in CN, such as "*.domain.com"). If you manage to find one that will issue you certificate with subjectAltName field, they'll probably charge you for it as if you bought two certificates (since it will be valid for two domains).

--
Aleksandar Milivojevic <amilivojevic@xxxxxx>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux