Ara Avvali
2006-Mar-19 00:30 UTC
[CentOS] multiple signed ssl certificatess on single IP address
Good afternoon everyone, This is my first post here. I was wondering if someone could clear my mind about this. I have a dedicated server with a single ip address assigned to it. I want to host couple of site which are hosted somewhere else and they have signed certificates. Now I want to host them all on this single server. Is it possible to bound more than one cert to a single IP based apache server and host multiple virtual directories? I did a research on line and found couple answers which are all confusing me. One suggested that I need to get additional ip's and assign different sites to it. (Not a very practical solution) Other one says we can use the same cert and ip but have secondary host on different port number than default. Something likes https://www.abc.com <https://www.abc.com/> and https://www.def.com:444 <https://www.def.com:444/> and so on. But this will cause people a warning regarding the certificate error on second path, is that correct? Some one suggested a wild card certificate but how can I do that since dedicated server name is a.dedicated.hostingcompany.com and I need to generate certificates covering *.abc.com and *.def.com Would someone kindly clear my mind on this issue? -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060318/a5a5d790/attachment.html>
Maciej Żenczykowski
2006-Mar-19 00:45 UTC
[CentOS] multiple signed ssl certificatess on single IP address
Due to the SSL specification it is _IMPOSSIBLE_ to have more than one certificate on a given ip:port pair. Why? Because the certificate has to be sent immediately after a connection to the ip:port pair _BEFORE_ the client sends information about _which_ website it intends to contact (thus the server has no way to know which certificate, if many sites are hosted on a given ip:port pair, to supply and must choose ONE). As such virtual nameservers and https are impossible to get working with different certificates. However, there are some solutions: a) get more IP's and host each https site on a different IP b) use different port numbers on the same IP BOTH a and b allow different certificates per site, since they use different host:ip pairs c) use a single wildcard certificate or a certificate for more than one site. Basically a single certificate which is valid for both abc.com and def.com. Searching around on Google should reveal a wiki with more information about how to do this and remain compatible with the major web browsers (I think the link should also be in the CentOS list archives). It should be noted that solution (b) is impractical, many places allow https traffic only on the default https/443 port. Solution (a) is feasible and easy, however requires extra public IPs and will likely increase hosting costs. Solution (c) is the cheapest, however I've yet to try implementing it. [Further note: it is possible to run https over http on port 80 with transparent upgrade, but most web browsers and proxies don't support this and as such this is also not a viable solution...] Cheers, MaZe. On Sat, 18 Mar 2006, Ara Avvali wrote:> Good afternoon everyone, > > This is my first post here. I was wondering if someone could clear my > mind about this. > > I have a dedicated server with a single ip address assigned to it. I > want to host couple of site which are hosted somewhere else and they > have signed certificates. Now I want to host them all on this single > server. > > > > Is it possible to bound more than one cert to a single IP based apache > server and host multiple virtual directories? > > I did a research on line and found couple answers which are all > confusing me. > > > > One suggested that I need to get additional ip's and assign different > sites to it. (Not a very practical solution) > > > > Other one says we can use the same cert and ip but have secondary host > on different port number than default. Something likes > https://www.abc.com <https://www.abc.com/> and https://www.def.com:444 > <https://www.def.com:444/> and so on. But this will cause people a > warning regarding the certificate error on second path, is that correct? > > > > > Some one suggested a wild card certificate but how can I do that since > dedicated server name is a.dedicated.hostingcompany.com and I need to > generate certificates covering *.abc.com and *.def.com > > > > Would someone kindly clear my mind on this issue? > >
Robert
2006-Mar-19 00:46 UTC
[CentOS] multiple signed ssl certificatess on single IP address
Subject: [CentOS] multiple signed ssl certificatess on single IP address Good afternoon everyone, This is my first post here. I was wondering if someone could clear my mind about this. I have a dedicated server with a single ip address assigned to it. I want to host couple of site which are hosted somewhere else and they have signed certificates. Now I want to host them all on this single server. Is it possible to bound more than one cert to a single IP based apache server and host multiple virtual directories? I did a research on line and found couple answers which are all confusing me. One suggested that I need to get additional ip's and assign different sites to it. (Not a very practical solution) Other one says we can use the same cert and ip but have secondary host on different port number than default. Something likes https://www.abc.com <https://www.abc.com/> and https://www.def.com:444 <https://www.def.com:444/> and so on. But this will cause people a warning regarding the certificate error on second path, is that correct? Some one suggested a wild card certificate but how can I do that since dedicated server name is a.dedicated.hostingcompany.com and I need to generate certificates covering *.abc.com and *.def.com Would someone kindly clear my mind on this issue? greetings Ara Avvali, as i recall, the "most practical" and still the easiest solution is to have multiple ip addresses available and to provision them to the host then do dns to have each domain that requires ssl on it's own unique ip address. yes, you can jump through the hoops the other way as you have found. there are many single ip solutions. some work better than others. some stink. in the last two months i have not checked the latest server software granularity for dealing with certs on a single ip though... meaning, i dont know how many of the goofy hurdles and hoop jumping have truly been removed that satisfy the server and client side transparency issues & needs. - rh -- Robert Hanson - Abba Communications Computer & Internet Services (509) 624-7159 - www.abbacomm.net -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20060318/cd022e99/attachment.html>
Ara Avvali
2006-Mar-19 00:57 UTC
[CentOS] multiple signed ssl certificatess on single IP address
Hi Thanks for fast response. A: is expensive and I can't do it. They want 10/ ip per month so for a bout 10 site we are talking 100 dollars a month B: is better if I could convince them, but as you stated we might face problem with none standard port numbers C: sound fair and I need to search for it. We have plesk and I just saw this article. Do you think it is the solution for my question? http://www.digicert.com/ssl-certificate-installation-plesk.htm appreciated the help -----Original Message----- From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On Behalf Of Maciej Zenczykowski Sent: Saturday, March 18, 2006 4:45 PM To: CentOS mailing list Subject: Re: [CentOS] multiple signed ssl certificatess on single IP address Due to the SSL specification it is _IMPOSSIBLE_ to have more than one certificate on a given ip:port pair. Why? Because the certificate has to be sent immediately after a connection to the ip:port pair _BEFORE_ the client sends information about _which_ website it intends to contact (thus the server has no way to know which certificate, if many sites are hosted on a given ip:port pair, to supply and must choose ONE). As such virtual nameservers and https are impossible to get working with different certificates. However, there are some solutions: a) get more IP's and host each https site on a different IP b) use different port numbers on the same IP BOTH a and b allow different certificates per site, since they use different host:ip pairs c) use a single wildcard certificate or a certificate for more than one site. Basically a single certificate which is valid for both abc.com and def.com. Searching around on Google should reveal a wiki with more information about how to do this and remain compatible with the major web browsers (I think the link should also be in the CentOS list archives). It should be noted that solution (b) is impractical, many places allow https traffic only on the default https/443 port. Solution (a) is feasible and easy, however requires extra public IPs and will likely increase hosting costs. Solution (c) is the cheapest, however I've yet to try implementing it. [Further note: it is possible to run https over http on port 80 with transparent upgrade, but most web browsers and proxies don't support this and as such this is also not a viable solution...] Cheers, MaZe. On Sat, 18 Mar 2006, Ara Avvali wrote:> Good afternoon everyone, > > This is my first post here. I was wondering if someone could clear my > mind about this. > > I have a dedicated server with a single ip address assigned to it. I > want to host couple of site which are hosted somewhere else and they > have signed certificates. Now I want to host them all on this single > server. > > > > Is it possible to bound more than one cert to a single IP based apache > server and host multiple virtual directories? > > I did a research on line and found couple answers which are all > confusing me. > > > > One suggested that I need to get additional ip's and assign different > sites to it. (Not a very practical solution) > > > > Other one says we can use the same cert and ip but have secondary host > on different port number than default. Something likes > https://www.abc.com <https://www.abc.com/> andhttps://www.def.com:444> <https://www.def.com:444/> and so on. But this will cause people a > warning regarding the certificate error on second path, is thatcorrect?> > > > > Some one suggested a wild card certificate but how can I do that since > dedicated server name is a.dedicated.hostingcompany.com and I need to > generate certificates covering *.abc.com and *.def.com > > > > Would someone kindly clear my mind on this issue? > >_______________________________________________ CentOS mailing list CentOS at centos.org http://lists.centos.org/mailman/listinfo/centos
Robin Mordasiewicz
2006-Mar-19 03:36 UTC
[CentOS] multiple signed ssl certificatess on single IP address
On Sat, 18 Mar 2006, Ara Avvali wrote:> Good afternoon everyone, > This is my first post here. I was wondering if someone could clear my > mind about this. > > I have a dedicated server with a single ip address assigned to it. I > want to host couple of site which are hosted somewhere else and they > have signed certificates. Now I want to host them all on this single > server. > > Is it possible to bound more than one cert to a single IP based apache > server and host multiple virtual directories? > I did a research on line and found couple answers which are all > confusing me. > One suggested that I need to get additional ip's and assign different > sites to it. (Not a very practical solution) > Other one says we can use the same cert and ip but have secondary host > on different port number than default. Something likes > https://www.abc.com <https://www.abc.com/> and https://www.def.com:444 > <https://www.def.com:444/> and so on. But this will cause people a > warning regarding the certificate error on second path, is that correct? > Some one suggested a wild card certificate but how can I do that since > dedicated server name is a.dedicated.hostingcompany.com and I need to > generate certificates covering *.abc.com and *.def.com > Would someone kindly clear my mind on this issue?You will indeed require separate ip addresses per domain cert, or if you do not have access to multiple ip addresses then you could run them on separate ports. You summed it up correctly in your post.
Aleksandar Milivojevic
2006-Mar-19 06:09 UTC
[CentOS] multiple signed ssl certificatess on single IP address
Ara Avvali wrote:> Good afternoon everyone, > > This is my first post here. I was wondering if someone could clear my > mind about this. > > I have a dedicated server with a single ip address assigned to it. I > want to host couple of site which are hosted somewhere else and they > have signed certificates. Now I want to host them all on this single > server.No, you can't have more than one certificate per IP address (other then using different ports). The SSL handshake takes place before any data is transmitted. Therefore, Apache doesn't know which of the virtual webs the user is attempting to access. However you can use the X509v3 Subject Alternative Name to store multiple host names into it. For example, you could store something like this into it: SubjectAltName: DNS:www.foo.com, DNS:www.bar.com, IP: 1.2.3.4 (or something like that, syntax for IP could be IPAddr, not 100% sure). Such certificate would be valid for all of the following (users are not going to get any warnings or annoying pop-up windows): https://www.foo.com/ https://www.bar.com/ https://1.2.3.4/ However, there's couple of problems with using X509v3 Subject Alternative Name: Not all web browser might support it. Current versions of Internet Explorer, Mozilla, and Firefox work correctly with such certificates, but older versions might not (very old versions would ignore X509v3 extensions). Some obscure web browsers might not support it either. You'll be using single certificate for all virtual hosts. This might be the problem if virtual hosts are owned by different people (if they know anything about security, they'll insist on using their own certificates, and simply reject to use shared certificate). The biggest problem is, if you are buying certificate from well known CA, you might have hard time finding one that will sell you certificate with multiple hosts names in X509v3 Subject Alternative Name. Last time I was checking (some years ago) there was none. Maybe situation changed since then (or maybe some will do it on special request -- and special fee). For an example, check certificate at https://www.milivojevic.org/ (it contains www.milivojevic.org in CN, and there's SubjectAltName in extensions for www.milivojevic.org and localhost).