Hello,
I am trying to create a self-signed certificate for a sub-domain. Creating the certificate is not the problem. I used cacert.org to complete it. When I made the certificate, it was for the sub-domain but the certificate for the top-level domain is the certificate that appears. In the <VirtualHost> section for the sub-domain, I have pointed to the sub-domain key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/subdomain.key.
This is how I made the key: openssl req -nodes -keyout private.key -out subdomain.key
Any help would be greatly appreciated.
http://www.centos.org/docs/rhel-sag-en-3/s1-secureserver-selfsigned.html
On 1/23/06, Thomas E Dukes edukes@alltel.net wrote:
Hello,
I am trying to create a self-signed certificate for a sub-domain. Creating the certificate is not the problem. I used cacert.org to complete it. When I made the certificate, it was for the sub-domain but the certificate for the top-level domain is the certificate that appears. In the <VirtualHost> section for the sub-domain, I have pointed to the sub-domain key: SSLCertificateKeyFile /etc/httpd/conf/ssl.key/subdomain.key.
This is how I made the key: openssl req -nodes -keyout private.key -out subdomain.key
Any help would be greatly appreciated.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Howard Fore, howard.fore@gmail.com "The less you know, the more you believe." - U2, Last Night On Earth
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Howard Fore Sent: Monday, January 23, 2006 3:38 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
http://www.centos.org/docs/rhel-sag-en-3/s1-secureserver-selfs igned.html
Thanks
Just tried those instructions and got the same result. Does the certificate name have to be called 'server'
On 1/23/06, Thomas E Dukes edukes@alltel.net wrote:
Hello,
I am trying to create a self-signed certificate for a sub-domain. Creating the certificate is not the problem. I used cacert.org to complete it. When I made the certificate, it was for the
sub-domain
but the certificate for the top-level domain is the
certificate that
appears. In the <VirtualHost> section for the sub-domain,
I have pointed to the sub-domain key:
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/subdomain.key.
This is how I made the key: openssl req -nodes -keyout private.key -out subdomain.key
Any help would be greatly appreciated.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- Howard Fore, howard.fore@gmail.com "The less you know, the more you believe." - U2, Last Night On Earth _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 1/23/06, Thomas E Dukes edukes@alltel.net wrote:
Just tried those instructions and got the same result. Does the certificate name have to be called 'server'
No, but that's the default. If you change it to something else, then you need to edit /etc/httpd/conf.d/ssl.conf to match.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jim Perrin Sent: Monday, January 23, 2006 4:08 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
On 1/23/06, Thomas E Dukes edukes@alltel.net wrote:
Just tried those instructions and got the same result. Does the certificate name have to be called 'server'
No, but that's the default. If you change it to something else, then you need to edit /etc/httpd/conf.d/ssl.conf to match.
Maybe that's what I'm doing wrong. I'm placing it in the section of the httpd.conf file for the sub-domain.
I'll move that section to ssl.conf and see what happens.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jim Perrin Sent: Monday, January 23, 2006 4:08 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
On 1/23/06, Thomas E Dukes edukes@alltel.net wrote:
Just tried those instructions and got the same result. Does the certificate name have to be called 'server'
No, but that's the default. If you change it to something else, then you need to edit /etc/httpd/conf.d/ssl.conf to match.
I tried putting the info for the secure sub-domain in the ssl.conf with the name of the sub-domain certificate but that didn't work either. Still shows the certificate for the top-level domain. :-(
Just tried those instructions and got the same result. Does the certificate name have to be called 'server'
No, but that's the default. If you change it to something else, then you need to edit /etc/httpd/conf.d/ssl.conf to match.
I tried putting the info for the secure sub-domain in the ssl.conf with the name of the sub-domain certificate but that didn't work either. Still shows the certificate for the top-level domain. :-(
Hmm, maybe I'm not clear on what you're trying to do. Is this a virtual host? Is it a Name based virtual host? ssl is done per ip, so if you're doing name based virtual hosting, you only get one cert, unless you change to a non-standard https port for your second secure host.
The way around this (not a GOOD way, but a way) is to generate an ssl cert for *.domain.com. This way it's valid for all subdomains.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jim Perrin Sent: Monday, January 23, 2006 5:29 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
Just tried those instructions and got the same result.
Does the
certificate name have to be called 'server'
No, but that's the default. If you change it to something
else, then
you need to edit /etc/httpd/conf.d/ssl.conf to match.
I tried putting the info for the secure sub-domain in the ssl.conf with the name of the sub-domain certificate but that didn't work either. Still shows the certificate for the top-level domain. :-(
Hmm, maybe I'm not clear on what you're trying to do. Is this a virtual host? Is it a Name based virtual host? ssl is done per ip, so if you're doing name based virtual hosting, you only get one cert, unless you change to a non-standard https port for your second secure host.
Yes, this is a named based virtual host.
It must be stuck on being named 'server'. I changed/renamed the subdomain.key and subdomain.crt to server.key and server.crt and now get the proper name on the certificate for the sub-domain but now don't have a certificate for the top level domain.
The way around this (not a GOOD way, but a way) is to generate an ssl cert for *.domain.com. This way it's valid for all subdomains.
Hmmm. I'll give that a try. Not really interested in the error about being 'self-signed' (issuing authority) but just want the name to be right and the security to be there.
Will try and let you know.
Thanks!!!!!!!!!
Hmmm. I'll give that a try. Not really interested in the error about being 'self-signed' (issuing authority) but just want the name to be right and the security to be there.
Will try and let you know.
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Note the line near the top that says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." And also http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
The first just says you can't. the second provides a more detailed reason. The way I gave you is really the only way to accomplish what you're doing with mod_ssl etc.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
On Mon, 2006-01-23 at 18:16 -0500, Jim Perrin wrote:
Hmmm. I'll give that a try. Not really interested in the error about being 'self-signed' (issuing authority) but just want the name to be right and the security to be there.
Will try and let you know.
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Note the line near the top that says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." And also http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
The first just says you can't. the second provides a more detailed reason. The way I gave you is really the only way to accomplish what you're doing with mod_ssl etc.
I spent much time around trying to figure out a way to do this ... only way I found ... do it by IP ... each SSL cert needs to be on a different IP
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Monday, January 23, 2006 6:23 PM To: CentOS ML Subject: Re: [CentOS] Self-signed certificates
On Mon, 2006-01-23 at 18:16 -0500, Jim Perrin wrote:
Hmmm. I'll give that a try. Not really interested in the error about being 'self-signed' (issuing authority) but just
want the name
to be right and the security to be there.
Will try and let you know.
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Note the line near the top that says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." And also http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
The first just says you can't. the second provides a more detailed reason. The way I gave you is really the only way to
accomplish what
you're doing with mod_ssl etc.
I spent much time around trying to figure out a way to do this ... only way I found ... do it by IP ... each SSL cert needs to be on a different IP
You maybe correct but up to a month or so ago I wasn't able to even get SSL working on more than one virtual domain at a time. The certificate may have the wrong name but it is working.
How do you do shared certificate?
On Mon, 2006-01-23 at 18:46 -0500, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Monday, January 23, 2006 6:23 PM To: CentOS ML Subject: Re: [CentOS] Self-signed certificates
On Mon, 2006-01-23 at 18:16 -0500, Jim Perrin wrote:
Hmmm. I'll give that a try. Not really interested in the error about being 'self-signed' (issuing authority) but just
want the name
to be right and the security to be there.
Will try and let you know.
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Note the line near the top that says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." And also http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
The first just says you can't. the second provides a more detailed reason. The way I gave you is really the only way to
accomplish what
you're doing with mod_ssl etc.
I spent much time around trying to figure out a way to do this ... only way I found ... do it by IP ... each SSL cert needs to be on a different IP
You maybe correct but up to a month or so ago I wasn't able to even get SSL working on more than one virtual domain at a time. The certificate may have the wrong name but it is working.
How do you do shared certificate?
Here is the problem ... the headers come in ... they are encrypted. They have to be decrypted to read them. At this point, the machine doesn't know which certificate to use, so it uses the default one.
Once the header is decrypted, now it can go to the correct website, but it only uses the default certificate.
If you want to have a separate certificate, you must either have a separate IP address or a separate port so that the machine can know what certificate to use while the header is still encrypted ...
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jim Perrin Sent: Monday, January 23, 2006 6:17 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
Hmmm. I'll give that a try. Not really interested in the
error about
being 'self-signed' (issuing authority) but just want the
name to be
right and the security to be there.
Will try and let you know.
http://httpd.apache.org/docs/2.0/vhosts/name-based.html
Note the line near the top that says "Name-based virtual hosting cannot be used with SSL secure servers because of the nature of the SSL protocol." And also http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
The first just says you can't. the second provides a more detailed reason. The way I gave you is really the only way to accomplish what you're doing with mod_ssl etc.
I have seen that but it is possible to have a secure connection using named based virtual hosts. Been doing it for a while, visit https://mail.palmettodomains.com, just trying to get the name on the certificate to match. I was just tring to get a separate certificate for other sub-domains using different/correlating naming, but it looks like the certificates have to be named 'server'.key or .crt.
On Monday 23 January 2006 03:37 pm, Thomas E Dukes wrote:
I have seen that but it is possible to have a secure connection using named based virtual hosts. Been doing it for a while, visit https://mail.palmettodomains.com, just trying to get the name on the certificate to match. I was just tring to get a separate certificate for other sub-domains using different/correlating naming, but it looks like the certificates have to be named 'server'.key or .crt.
I'm not sure of your point, Thomas.
When I visit your site: https://mail.palmettodomains.com
I get a secure site for secure.palmettodomains.com.
Which is what I'd expect with name-based hosting, and which is what the original poster said he's trying to avoid.
There is one way to get name-based hosting to work with individual certificates and not get name mismatch errors, and that's to set up the secure site on a different port. And I don't recommend that if anyone is ever going to have to type the URL into a browser; people just get confused. My recommendation is to only do that if the connection is only by link.
Jeff
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jeff Lasman Sent: Monday, January 23, 2006 7:31 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
On Monday 23 January 2006 03:37 pm, Thomas E Dukes wrote:
I have seen that but it is possible to have a secure
connection using
named based virtual hosts. Been doing it for a while, visit https://mail.palmettodomains.com, just trying to get the
name on the
certificate to match. I was just tring to get a separate
certificate
for other sub-domains using different/correlating naming,
but it looks
like the certificates have to be named 'server'.key or .crt.
I'm not sure of your point, Thomas.
When I visit your site: https://mail.palmettodomains.com
I get a secure site for secure.palmettodomains.com.
Which is what I'd expect with name-based hosting, and which is what the original poster said he's trying to avoid.
There is one way to get name-based hosting to work with individual certificates and not get name mismatch errors, and that's to set up the secure site on a different port. And I don't recommend that if anyone is ever going to have to type the URL into a browser; people just get confused. My recommendation is to only do that if the connection is only by link.
Maybe that's what I need to do as these are not really 'public' sites and are only used for my purposes (mail). How would you declare port(s) 444, 445, 446, etc., as a secure/SSL site?
Thanks!!
There is one way to get name-based hosting to work with individual certificates and not get name mismatch errors, and that's to set up the secure site on a different port. And I don't recommend that if anyone is ever going to have to type the URL into a browser; people just get confused. My recommendation is to only do that if the connection is only by link.
Maybe that's what I need to do as these are not really 'public' sites and are only used for my purposes (mail). How would you declare port(s) 444, 445, 446, etc., as a secure/SSL site?
This is done in the vhost statement itself. notice the :443's in /etc/httpd/conf.d/ssl.conf file in the <VirtualHost foo:443> and possibly also on the Listen :443 line. You'd just create another one on 444, or 445, etc.
Again, it's possible to do this GLOBALLY for your domain with a top level ssl cert. If you create a cert for *.palmettodomains.com then you'll be able to use this cert for ANY subdomain of palmettodomains.com without problem. If people look closely at the cert, it will show *.palmettodomains.com, but it will not generate browser errors for people connecting. There are several institutions that have gone to certs like this to avoid paying the verisign extortion fees etc.
fnal.gov even has a tutorial of sorts incorporating simple globbing into their ssl certs (http://www.fnal.gov/docs/products/apache/SSLNotes.html).
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jim Perrin Sent: Monday, January 23, 2006 8:26 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
There is one way to get name-based hosting to work with
individual
certificates and not get name mismatch errors, and that's
to set up
the secure site on a different port. And I don't
recommend that if
anyone is ever going to have to type the URL into a
browser; people
just get confused. My recommendation is to only do that if the connection is only by link.
Maybe that's what I need to do as these are not really
'public' sites
and are only used for my purposes (mail). How would you declare port(s) 444, 445, 446, etc., as a secure/SSL site?
This is done in the vhost statement itself. notice the :443's in /etc/httpd/conf.d/ssl.conf file in the <VirtualHost foo:443> and possibly also on the Listen :443 line. You'd just create another one on 444, or 445, etc.
Again, it's possible to do this GLOBALLY for your domain with a top level ssl cert. If you create a cert for *.palmettodomains.com then you'll be able to use this cert for ANY subdomain of palmettodomains.com without problem. If people look closely at the cert, it will show *.palmettodomains.com, but it will not generate browser errors for people connecting. There are several institutions that have gone to certs like this to avoid paying the verisign extortion fees etc.
Exactly!!! Couldn't have said it better! They must be paying off some folks some big bucks to have their names on a list browers recognize without causing the "Security Alert".
I'm not trying to be cheap but this is a crock! 128 bit is 128 bit! Browsers should be able to recognize the encryption method, not the name. I mean, that's what its all about.
fnal.gov even has a tutorial of sorts incorporating simple globbing into their ssl certs (http://www.fnal.gov/docs/products/apache/SSLNotes.html).
I'll check it out.
Thanks!!
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Monday 23 January 2006 05:44 pm, Thomas E Dukes wrote:
I'm not trying to be cheap but this is a crock! 128 bit is 128 bit! Browsers should be able to recognize the encryption method, not the name. I mean, that's what its all about.
Hmmmm... You've lost me again <frown>.
If you mean cert distributors, you can buy certs for about $10 from GoDaddy, and yes, browsers recognize them.
If you mean the browser should recognize the cert as a cert and not care about the name it's issued for, that can't work because the purpose of a cert is to guarantee you're talking to whom you think you're talking to. So the domain name has to be in there.
Jeff
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jeff Lasman Sent: Monday, January 23, 2006 9:51 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
On Monday 23 January 2006 05:44 pm, Thomas E Dukes wrote:
I'm not trying to be cheap but this is a crock! 128 bit is 128 bit! Browsers should be able to recognize the encryption method, not the name. I mean, that's what its all about.
Hmmmm... You've lost me again <frown>.
If you mean cert distributors, you can buy certs for about $10 from GoDaddy, and yes, browsers recognize them.
Is that with their hosting package or can you buy it outright? And browsers will accept them without a "security alert"?
If you mean the browser should recognize the cert as a cert and not care about the name it's issued for, that can't work because the purpose of a cert is to guarantee you're talking to whom you think you're talking to. So the domain name has to be in there.
The name I was referring to was the issuing authority not the domain name for which it was issued to.
Jeff
Jeff Lasman, Nobaloney Internet Services 1254 So Waterman Ave., Suite 50, San Bernardino, CA 92408 Our blists address used on lists is for list email only Phone +1 909 266-9209, or see: "http://www.nobaloney.net/contactus.html" _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi
It *is* now possible to have multiple HTTPS sites on one IP address and port 443 by putting multiple domain names into one certificate as SubjectAltNames, see the CAcert wiki for more info:
http://wiki.cacert.org/wiki/VhostTaskForce
There is a bash script you can use on that page for generating a csr, of course all the TLDs have to have been registered with CAcert before you start. There are a few things to watch out for also, you can't use ServerAliases (each domain names needs a seperate VirtualHost) and the CommonName has to be repeated as a SubjectAltName.
Chris
Chris Croome wrote:
Hi
It *is* now possible to have multiple HTTPS sites on one IP address and port 443 by putting multiple domain names into one certificate as SubjectAltNames, see the CAcert wiki for more info:
Thank you very much for that information.
On the other hand that issue would be much easier if browsers and webservers knew how to do "STARTTLS", so that the domain name the request is going to is known by the webserver. The session *then* can be encrypted with the key for exactly that domain.
Ralph
Hi
On Tue 24-Jan-2006 at 10:40:44AM +0100, Ralph Angenendt wrote:
Chris Croome wrote:
Thank you very much for that information.
No problem, this wiki page isn't the easiest to follow... I'll see if I can do a better one...
On the other hand that issue would be much easier if browsers and webservers knew how to do "STARTTLS", so that the domain name the request is going to is known by the webserver. The session *then* can be encrypted with the key for exactly that domain.
Right, this is the RFC that covers this?
- HTTP Over TLS http://www.ietf.org/rfc/rfc2818.txt
I'd like to see server and browsers supporting RFC 2817 also, but I seem to rememeber that when it was raised on Mozilla's bugzilla there wasn't much support for it... and there are issues with is, see discussion of it on the Apache site [1]:
- Upgrading to TLS Within HTTP/1.1 http://www.ietf.org/rfc/rfc2817.txt
Chris
[1] http://www.google.com/search?q=rfc2817+site%3Aapache.org
Hi
There are some simpler instructions here for setting up Apache to serve multiple HTTPS sites using one IP address and a CAcert cert:
http://wiki.cacert.org/wiki/VhostsApache
The CAcert root certificate is included in CentOS [1] but for most people they will need to install the CAcert root certificate to avoid getting warnings:
http://www.cacert.org/index.php?id=3
The great advantage of CAcert is that the certs are free, but of course it's not suitable for an ecommerce site since most people won't have the root cert installed in their browsers.
Chris
PS Sorry that this is somewhat OT...
[1] http://www.centos.org/modules/newbb/viewtopic.php?topic_id=50&forum=2&am...
I'd like to see server and browsers supporting RFC 2817 also, but I seem to rememeber that when it was raised on Mozilla's bugzilla there wasn't much support for it... and there are issues with is, see discussion of it on the Apache site [1]:
- Upgrading to TLS Within HTTP/1.1 http://www.ietf.org/rfc/rfc2817.txt
There is mod_gnutls for apache from the folks at outoforder.cc, http://www.outoforder.cc/projects/apache/mod_gnutls/ but it's reasonably new and not quite ready for production yet. It will not play nicely with mod_ssl, so it's an either or type deal. They have a number of other excellent apache modules there, my personal favorite being mod_log_sql. Anyway, enough plugging them.
-- Jim Perrin System Architect - UIT Ft Gordon & US Army Signal Center
Jim Perrin wrote:
I'd like to see server and browsers supporting RFC 2817 also, but I seem to rememeber that when it was raised on Mozilla's bugzilla there wasn't much support for it... and there are issues with is, see discussion of it on the Apache site [1]:
- Upgrading to TLS Within HTTP/1.1 http://www.ietf.org/rfc/rfc2817.txt
There is mod_gnutls for apache from the folks at outoforder.cc,
gnutls seems to hava a massive problem with random number sources - afair they *do* use /dev/random exclusively, which will block pretty fast if used on a server having a little bit more traffic.
Ralph
On Mon, 2006-01-23 at 22:18 -0500, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jeff Lasman Sent: Monday, January 23, 2006 9:51 PM To: CentOS mailing list Subject: Re: [CentOS] Self-signed certificates
On Monday 23 January 2006 05:44 pm, Thomas E Dukes wrote:
I'm not trying to be cheap but this is a crock! 128 bit is 128 bit! Browsers should be able to recognize the encryption method, not the name. I mean, that's what its all about.
Hmmmm... You've lost me again <frown>.
If you mean cert distributors, you can buy certs for about $10 from GoDaddy, and yes, browsers recognize them.
Is that with their hosting package or can you buy it outright? And browsers will accept them without a "security alert"?
Their (godaddy) wildcard cert is $199.00/yr (turbo) or $299.00/yr (high assurance)
Their individual site same certs are $19.99/yr (turbo) or $89.99 (high assurance).
Here is the difference: https://www.godaddy.com/gdshop/ssl/compare.asp?se=%2B&app%5Fhdr=99
For internal stuff, I would use only a signed certificate.
I created one for 10 years for my company for internal websites.
If you mean the browser should recognize the cert as a cert and not care about the name it's issued for, that can't work because the purpose of a cert is to guarantee you're talking to whom you think you're talking to. So the domain name has to be in there.
That is why a wildcard cert is good. Many companies are doing wildcard certs now. They are for *.yourdomain.com ... so mail.yourdomain.com and www.yourdomain.com and test.yourdomain.com are all valid with that certificate.
The name I was referring to was the issuing authority not the domain name for which it was issued to.
-
Chris Croome -
Howard Fore -
Jeff Lasman -
Jim Perrin -
Johnny Hughes -
Ralph Angenendt -
Thomas E Dukes