[CentOS] Self-signed certificates

Tue Jan 24 01:26:15 UTC 2006
Jim Perrin <jperrin at gmail.com>

> > There is one way to get name-based hosting to work with
> > individual certificates and not get name mismatch errors, and
> > that's to set up the secure site on a different port.  And I
> > don't recommend that if anyone is ever going to have to type
> > the URL into a browser; people just get confused.  My
> > recommendation is to only do that if the connection is only by link.
> >
>
> Maybe that's what I need to do as these are not really 'public' sites and
> are only used for my purposes (mail).  How would you declare port(s) 444,
> 445, 446, etc., as a secure/SSL site?

This is done in the vhost statement itself.
notice the :443's in /etc/httpd/conf.d/ssl.conf file in the
<VirtualHost foo:443> and possibly also on the Listen :443 line.
You'd just create another one on 444, or 445, etc.

Again, it's possible to do this GLOBALLY for your domain with a top
level ssl cert.
If you create a cert for *.palmettodomains.com then you'll be able to
use this cert for ANY subdomain of palmettodomains.com without
problem. If people look closely at the cert, it will show
*.palmettodomains.com, but it will not generate browser errors for
people connecting. There are several institutions that have gone to
certs like this to avoid paying the verisign extortion fees etc.

fnal.gov even has a tutorial of sorts incorporating simple globbing
into their ssl certs
(http://www.fnal.gov/docs/products/apache/SSLNotes.html).

--
Jim Perrin
System Architect - UIT
Ft Gordon & US Army Signal Center