I’m relatively new to Linux/Apache and spent the last week pulling my hair out googleing,reading forms and the manuels trying to set up two virtual hosts running two Websites both with SSL on a Development Web server. I finally got it to work using name-based virtual hosting. My problem now is I have created one set of cetificates/keys for one domain using the mkcert.sh script mentioned in the manuel. Worked great and put the final files in the /etc/apache2/ssl.crt, ssl.key and ssl.csr directories where Suse 11 is looking for them. No problem until I try to create a second certificate/Key for my second virtual host. The script doesn’t give you a choice as to the names of the output files so you can create more than one set. My question is, is there another directory or set of directories I can copy the first set to and point my virtual host to read them there and then create a new set (with the same names) and place them elsewhere. Or Do I need to do it from scratch using openssl?
If you look at /etc/apache2/vhosts.d/vhost-ssl.template, each SSL virtual host can have its own cert file.
But remember this: Certs are checked by taking the domain name and IP address and doing consistency checks on them. So you will have a mismatch between the virtual domain name and the canonical domain name (the one that the IP reverse maps to). So you will get an error from the browser saying that the name in the cert doesn’t match the name in the reverse mapping. That’s why you need one IP address per SSL host, in general. One way to work around that is to use a wildcard cert, which matches any host in a subdomain.
If I understand what you are saying, I can’t make two separate certificates/keys which are named differently and point to the correct SSL certificate/key from with the virtualhost directives in each of my subdomains. Or is it only because they both have the same IP address? I thought only the Common Name was the issue. Then will it work on an ip-based virtual host which uses ip-aliases for multiple subdomains? My first choice was to use separate aliased ip’s for each subdomain but couldn’t
get the aliased Ip’s to stay around after a reboot. Which is the thread of another post I made today.
I guess my next questions is then how would I create a wild card certificate for testing, or can I? I have a feeling they must be purchased. I’m not at that stage yet in my development.
Oh there’s no problem with the webserver handling multiple certs. But multiple certs are generally used with IP based virtual hosting. The problem is like this:
Web browser does a reverse map of the IP address of the server and finds it is foo.example.com which is not bar.example.com as the second cert says.
Browser gives the user a warning. Some browsers may even go so far as to block the access.
This is why generally you can only have one SSL webserver per IP. Of course if you are running an internal webserver, you can use as many IPs as you like on private addresses, but public IPs in the outside world are a resource that have to be paid for.
I’ve never needed to make a wildcard cert but from what I’ve read, it a matter of making a cert for *.example.com. That will match both of the domain names above.
Thanks again my friend, I appreciate the detailed explanations. It has helped me to understand the issues rather than just making a fix. Looks like I need to get the ip-aliasing issue worked out so I can use multiple addresses.