installing cert

sneakyimp

I am trying to install a certificate for one particular site on my server. I'm reading this:

http://www.fedoraforum.org/forum/archive/index.php/t-32602.html

Seems to me the path location they chose for the cert is not intended to be specific for one domain. Can my apache install capable of hosting multiple certs for multiple domains or will I have to set up some kind of virtual hosting situation?

MarkR

A limitation of HTTPS is that you cannot use more than one SSL certificate on one IP adress / port number. This limitation is not specific to Apache and applies to all web servers.

The bottom line is, you can set the SSL certificate on a per virtual host basis, but only if it's an IP-based (rather than name-based) virtual host.

If you want to run more than one SSL site with different certificates, you need to allocate more IP addresses or use different port numbers.

Mark

sneakyimp

Given that most HTTPS connections occur on port 443 (or something like that), how might a setup look to use different ports on a server? Would you need a firewall that receives https requests on port 443 and then maps them onto some other port for your actual web server?

MarkR

You wouldn't use ports other than 443 in a production environment. I only use them for testing.

In a production environment, you'd have to allocate one IP address per SSL site you wanted to run. This is unavoidable.

Mark

sneakyimp

Why is that? I was trying to describe some kind of proxy/firewall setup in my post whereby a client's browser would connect to the proxy on port 443 for SSL connections and that firewall/proxy would then connect to my webserver on my intranet on some other port. Is there something I'm missing about how the certs work?

MarkR

If you use a port other than 443, I think normal SSL certificates aren't valid.

But maybe they are - as I said, I've never used SSL on any other port in production.

If you are using a reverse-proxy to connect to your web server, you can have that do the SSL session handling and encryption / decryption, in which case none of the above applies, as your web server will be serving HTTP rather than HTTPS which will all be handled by your reverse proxy.

Mark