[CentOS] Self-signed certificates
Johnny Hughes
mailing-lists at hughesjr.com
Tue Jan 24 00:52:44 UTC 2006
On Mon, 2006-01-23 at 18:46 -0500, Thomas E Dukes wrote:
>
> > -----Original Message-----
> > From: centos-bounces at centos.org
> > [mailto:centos-bounces at centos.org] On Behalf Of Johnny Hughes
> > Sent: Monday, January 23, 2006 6:23 PM
> > To: CentOS ML
> > Subject: Re: [CentOS] Self-signed certificates
> >
> > On Mon, 2006-01-23 at 18:16 -0500, Jim Perrin wrote:
> > > > Hmmm. I'll give that a try. Not really interested in the error
> > > > about being 'self-signed' (issuing authority) but just
> > want the name
> > > > to be right and the security to be there.
> > > >
> > > > Will try and let you know.
> > >
> > > http://httpd.apache.org/docs/2.0/vhosts/name-based.html
> > >
> > > Note the line near the top that says "Name-based virtual hosting
> > > cannot be used with SSL secure servers because of the nature of the
> > > SSL protocol." And also
> > > http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts
> > >
> > > The first just says you can't. the second provides a more detailed
> > > reason. The way I gave you is really the only way to
> > accomplish what
> > > you're doing with mod_ssl etc.
> > >
> >
> > I spent much time around trying to figure out a way to do
> > this ... only way I found ... do it by IP ... each SSL cert
> > needs to be on a different IP
>
> You maybe correct but up to a month or so ago I wasn't able to even get SSL
> working on more than one virtual domain at a time. The certificate may have
> the wrong name but it is working.
>
> How do you do shared certificate?
> >
>
Here is the problem ... the headers come in ... they are encrypted.
They have to be decrypted to read them. At this point, the machine
doesn't know which certificate to use, so it uses the default one.
Once the header is decrypted, now it can go to the correct website, but
it only uses the default certificate.
If you want to have a separate certificate, you must either have a
separate IP address or a separate port so that the machine can know what
certificate to use while the header is still encrypted ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060123/08e7913e/attachment.sig>
More information about the CentOS
mailing list