[CentOS] multiple signed ssl certificatess on single IP address
Aleksandar Milivojevic
alex at milivojevic.org
Sun Mar 19 06:09:49 UTC 2006
Ara Avvali wrote:
> Good afternoon everyone,
>
> This is my first post here. I was wondering if someone could clear my
> mind about this.
>
> I have a dedicated server with a single ip address assigned to it. I
> want to host couple of site which are hosted somewhere else and they
> have signed certificates. Now I want to host them all on this single
> server.
No, you can't have more than one certificate per IP address (other then
using different ports). The SSL handshake takes place before any data
is transmitted. Therefore, Apache doesn't know which of the virtual
webs the user is attempting to access.
However you can use the X509v3 Subject Alternative Name to store
multiple host names into it. For example, you could store something
like this into it:
SubjectAltName: DNS:www.foo.com, DNS:www.bar.com, IP: 1.2.3.4
(or something like that, syntax for IP could be IPAddr, not 100% sure).
Such certificate would be valid for all of the following (users are not
going to get any warnings or annoying pop-up windows):
https://www.foo.com/
https://www.bar.com/
https://1.2.3.4/
However, there's couple of problems with using X509v3 Subject
Alternative Name:
Not all web browser might support it. Current versions of Internet
Explorer, Mozilla, and Firefox work correctly with such certificates,
but older versions might not (very old versions would ignore X509v3
extensions). Some obscure web browsers might not support it either.
You'll be using single certificate for all virtual hosts. This might be
the problem if virtual hosts are owned by different people (if they know
anything about security, they'll insist on using their own certificates,
and simply reject to use shared certificate).
The biggest problem is, if you are buying certificate from well known
CA, you might have hard time finding one that will sell you certificate
with multiple hosts names in X509v3 Subject Alternative Name. Last time
I was checking (some years ago) there was none. Maybe situation changed
since then (or maybe some will do it on special request -- and special fee).
For an example, check certificate at https://www.milivojevic.org/ (it
contains www.milivojevic.org in CN, and there's SubjectAltName in
extensions for www.milivojevic.org and localhost).
More information about the CentOS
mailing list