[CentOS] multiple signed ssl certificatess on single IP address

Ara Avvali ara.avvali at bossaudio.com
Sun Mar 19 00:57:42 UTC 2006 

Hi
Thanks for fast response. 
A: is expensive and I can't do it. They want 10/ ip per month so for a
bout 10 site we are talking 100 dollars a month
B: is better if I could convince them, but as you stated we might face
problem with none standard port numbers 
C: sound fair and I need to search for it. 

We have plesk and I just saw this article. Do you think it is the
solution for my question? 
http://www.digicert.com/ssl-certificate-installation-plesk.htm 

appreciated the help 

-----Original Message-----
From: centos-bounces at centos.org [mailto:centos-bounces at centos.org] On
Behalf Of Maciej Zenczykowski
Sent: Saturday, March 18, 2006 4:45 PM
To: CentOS mailing list
Subject: Re: [CentOS] multiple signed ssl certificatess on single IP
address

Due to the SSL specification it is _IMPOSSIBLE_ to have more than one 
certificate on a given ip:port pair.  Why?  Because the certificate has
to 
be sent immediately after a connection to the ip:port pair _BEFORE_ the 
client sends information about _which_ website it intends to contact
(thus 
the server has no way to know which certificate, if many sites are
hosted 
on a given ip:port pair, to supply and must choose ONE).  As such
virtual 
nameservers and https are impossible to get working with different 
certificates.

However, there are some solutions:

   a) get more IP's and host each https site on a different IP

   b) use different port numbers on the same IP

BOTH a and b allow different certificates per site, since they use 
different host:ip pairs

   c) use a single wildcard certificate or a certificate for more than
one 
site.  Basically a single certificate which is valid for both abc.com
and 
def.com.  Searching around on Google should reveal a wiki with more 
information about how to do this and remain compatible with the major
web 
browsers  (I think the link should also be in the CentOS list archives).

It should be noted that solution (b) is impractical, many places allow 
https traffic only on the default https/443 port.

Solution (a) is feasible and easy, however requires extra public IPs and

will likely increase hosting costs.

Solution (c) is the cheapest, however I've yet to try implementing it.

[Further note: it is possible to run https over http on port 80 with 
transparent upgrade, but most web browsers and proxies don't support
this 
and as such this is also not a viable solution...]

Cheers,
MaZe.

  On Sat, 18 Mar 2006, Ara Avvali wrote:

> Good afternoon everyone,
>
> This is my first post here. I was wondering if someone could clear my
> mind about this.
>
> I have a dedicated server with a single ip address assigned to it. I
> want to host couple of site which are hosted somewhere else and they
> have signed certificates. Now I want to host them all on this single
> server.
>
>
>
> Is it possible to bound more than one cert to a single IP based apache
> server and host multiple virtual directories?
>
> I did a research on line and found couple answers which are all
> confusing me.
>
>
>
> One suggested that I need to get additional ip's and assign different
> sites to it. (Not a very practical solution)
>
>
>
> Other one says we can use the same cert and ip but have secondary host
> on different port number than default.  Something likes
> https://www.abc.com <https://www.abc.com/>  and
https://www.def.com:444
> <https://www.def.com:444/>  and so on. But this will cause people a
> warning regarding the certificate error on second path, is that
correct?
>
>
>
>
> Some one suggested a wild card certificate but how can I do that since
> dedicated server name is a.dedicated.hostingcompany.com and I need to
> generate certificates covering *.abc.com and *.def.com
>
>
>
> Would someone kindly clear my mind on this issue?
>
>
_______________________________________________
CentOS mailing list
CentOS at centos.org
http://lists.centos.org/mailman/listinfo/centos

More information about the CentOS mailing list