Multiple domains on https (apache)
Aleksandar Milivojevic
amilivojevic at pbl.ca
Thu Feb 24 16:14:05 UTC 2005
Mark wrote:
> I have posted a related question 2 weeks ago or so, now I wanted to actually try this...
>
> I have 2 domains running on the same apache server (Version 2.0.50 from Fedora Core 1) with mod_ssl.
> I have 2 certificates, one for each domain.
> I set up the domains with the SSL configuration directives in each <VirtualHost>.
> The problem is, apache (or mod_ssl?) uses the first certificate for both domains/virtual hosts (or probably all 10 if I had that
> many).
> Is this normal or is there something wrong???
Mark,
This is normal, and there were some discussions in replies you already
got why this is normal.
Here are some workarounds that may or may not be applicable to your case.
If you are using self-signed certificates, or if you are running your
own CA, than one option could be to use one certificate instead of two.
For common name (CN) in certificate, place main name of your web
server. Than in x509v3 extensions section, place something like this:
subjectAltName: DNS:www.domain1.com,DNS:www.domain2.com,IP:1.2.3.4
You can place as many DNS names and/or IP addresses inside as you wish.
Browsers (at least couple of browsers that I tested) will consider
certificate to be valid if CN or any of the names in subjectAltName
matches the host name in URL. Some will even consider it to be valid if
DNS lookup of www.domain1.com or www.domain2.com resolves to the IP
address specified in subjectAltName.
I encurage you to test and see if this approach works for all web
browsers you will be using (or expect visitors of your web site will be
using), before jumping head first into implementing this solution.
If you need to have certificate signed by "well known" CA (definition of
"well known" is that its root certificate is distributed with major web
browsers), you'll have to find one that will be willing to sell you such
certificate. Most sell one certificate per domain only, or charge
fortune for something called "wildcard certificate" (certificate that
has "wildcard" in CN, such as "*.domain.com"). If you manage to find
one that will issue you certificate with subjectAltName field, they'll
probably charge you for it as if you bought two certificates (since it
will be valid for two domains).
--
Aleksandar Milivojevic <amilivojevic at pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
More information about the fedora-list
mailing list