-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jim Perrin Sent: Monday, January 23, 2006 8:26 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
There is one way to get name-based hosting to work with
individual
certificates and not get name mismatch errors, and that's
to set up
the secure site on a different port. And I don't
recommend that if
anyone is ever going to have to type the URL into a
browser; people
just get confused. My recommendation is to only do that if the connection is only by link.
Maybe that's what I need to do as these are not really
'public' sites
and are only used for my purposes (mail). How would you declare port(s) 444, 445, 446, etc., as a secure/SSL site?
This is done in the vhost statement itself. notice the :443's in /etc/httpd/conf.d/ssl.conf file in the <VirtualHost foo:443> and possibly also on the Listen :443 line. You'd just create another one on 444, or 445, etc.
Again, it's possible to do this GLOBALLY for your domain with a top level ssl cert. If you create a cert for *.palmettodomains.com then you'll be able to use this cert for ANY subdomain of palmettodomains.com without problem. If people look closely at the cert, it will show *.palmettodomains.com, but it will not generate browser errors for people connecting. There are several institutions that have gone to certs like this to avoid paying the verisign extortion fees etc.
Exactly!!! Couldn't have said it better! They must be paying off some folks some big bucks to have their names on a list browers recognize without causing the "Security Alert".
I'm not trying to be cheap but this is a crock! 128 bit is 128 bit! Browsers should be able to recognize the encryption method, not the name. I mean, that's what its all about.
fnal.gov even has a tutorial of sorts incorporating simple globbing into their ssl certs (http://www.fnal.gov/docs/products/apache/SSLNotes.html).
I'll check it out.
Thanks!!
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos