|
Home > Archive > Web Servers on Unix and Linux > July 2007 > Are multi-host security certificates real?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Are multi-host security certificates real?
|
|
| laredotornado@zipmail.com 2007-07-26, 1:18 pm |
| Hi,
Is there such thing as a multihost security certiciate? Here's what I
want to do: I have several domains (mydomain1.com, mydomain2.com,
mydomain3.com) all pointed at the same IP. We are running an Apache 2
web server on some kind of Linux system. Since Apache can only
install one security certificate, it would be great if that cert could
represent the three different domains and be from a trusted certiciate
authority.
Does anyone know of any?
Thanks, - Dave
| |
| patpro ~ patrick proniewski 2007-07-26, 1:18 pm |
| In article <1185464592.055291.279360@e16g2000pri.googlegroups.com>,
"laredotornado@zipmail.com" <laredotornado@zipmail.com> wrote:
> Since Apache can only
> install one security certificate,
since when ?
You can have only one cert for one IP, but apache can handle tons of IP
> it would be great if that cert could
> represent the three different domains and be from a trusted certiciate
> authority.
>
> Does anyone know of any?
I use one cert for about 4-5 domains for almost 2 years now. Check CACert
<http://www.cacert.org>
<http://wiki.cacert.org/wiki/VhostTaskForce> (CN+SubjAltNames)
<http://wiki.cacert.org/wiki/VhostsApache> (apache config)
patpro
--
http://www.patpro.net/
| |
| Paul Rubin 2007-07-26, 7:17 pm |
| "laredotornado@zipmail.com" <laredotornado@zipmail.com> writes:
> Is there such thing as a multihost security certiciate? Here's what I
> want to do: I have several domains (mydomain1.com, mydomain2.com,
> mydomain3.com) all pointed at the same IP. We are running an Apache 2
> web server on some kind of Linux system. Since Apache can only
> install one security certificate, it would be great if that cert could
> represent the three different domains and be from a trusted certiciate
> authority.
No, that does not exist. There are wildcard certificates
"*.mydomain.com" which will match d1.mydomain.com, d2.mydomain.com,
etc. Apache can install as many certificates as you want but the
nature of HTTPS is that each port can serve only one domain.
| |
| patpro ~ patrick proniewski 2007-07-26, 7:17 pm |
| In article <7xhcnrm1o4.fsf@ruckus.brouhaha.com>,
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
> "laredotornado@zipmail.com" <laredotornado@zipmail.com> writes:
>
> No, that does not exist. There are wildcard certificates
> "*.mydomain.com" which will match d1.mydomain.com, d2.mydomain.com,
> etc.
they do exist, I use one.
--
http://www.patpro.net/
| |
| laredotornado@zipmail.com 2007-07-26, 7:17 pm |
| On Jul 26, 11:00 am, patpro ~ patrick proniewski
<pat...@boleskine.patpro.net> wrote:
> In article <1185464592.055291.279...@e16g2000pri.googlegroups.com>,
>
> "laredotorn...@zipmail.com" <laredotorn...@zipmail.com> wrote:
>
> since when ?
> You can have only one cert for one IP, but apache can handle tons of IP
>
>
>
> I use one cert for about 4-5 domains for almost 2 years now. Check CACert
>
> <http://www.cacert.org>
>
> <http://wiki.cacert.org/wiki/VhostTaskForce> (CN+SubjAltNames)
> <http://wiki.cacert.org/wiki/VhostsApache> (apache config)
>
> patpro
>
> --http://www.patpro.net/
And these 4-5 domains all point to the same IP? Paul seems to imply
from the next post that this only works if all the domains pointing at
the same IP resemble
first.mydoamin1.com
second.mydomain.com
third.mydomain.com
- Dave
| |
| Paul Rubin 2007-07-26, 7:17 pm |
| patpro ~ patrick proniewski <patpro@boleskine.patpro.net> writes:
>
> they do exist, I use one.
Thanks, that cacert page is very interesting, however the tricks
described look pretty marginal and I don't see anything about testing
in older browsers. If they're going to require browser upgrades, it
would be a lot better if they did an HTTP extension that allowed
running the whole thing on port 80, sending something like a (newly
defined) HTTP HELLO message and then doing STARTTLS as is done for
SMTP.
| |
| patpro ~ patrick proniewski 2007-07-26, 7:17 pm |
| In article <1185481005.041330.275070@22g2000hsm.googlegroups.com>,
"laredotornado@zipmail.com" <laredotornado@zipmail.com> wrote:
> And these 4-5 domains all point to the same IP? Paul seems to imply
> from the next post that this only works if all the domains pointing at
> the same IP resemble
they do 
check https://www.patpro.net/ the certificate contains the list of
domains.
patpro
--
http://www.patpro.net/
| |
| patpro ~ patrick proniewski 2007-07-26, 7:17 pm |
| In article <7x8x927v7r.fsf@ruckus.brouhaha.com>,
Paul Rubin <http://phr.cx@NOSPAM.invalid> wrote:
> patpro ~ patrick proniewski <patpro@boleskine.patpro.net> writes:
>
> Thanks, that cacert page is very interesting, however the tricks
> described look pretty marginal and I don't see anything about testing
> in older browsers. If they're going to require browser upgrades, it
> would be a lot better if they did an HTTP extension that allowed
> running the whole thing on port 80, sending something like a (newly
> defined) HTTP HELLO message and then doing STARTTLS as is done for
> SMTP.
well, I you try very old browsers (IE 5.2 for Mac, circa 2001, for
example), they fail. But these very old browsers are also very buggy and
very unsafe. If you don't upgrade for features, upgrade for security.
patpro
--
http://www.patpro.net/
| |
| laredotornado@zipmail.com 2007-07-27, 1:17 pm |
| On Jul 26, 4:09 pm, patpro ~ patrick proniewski
<pat...@boleskine.patpro.net> wrote:
> In article <1185481005.041330.275...@22g2000hsm.googlegroups.com>,
>
> "laredotorn...@zipmail.com" <laredotorn...@zipmail.com> wrote:
>
> they do
> checkhttps://www.patpro.net/the certificate contains the list of
> domains.
>
> patpro
>
> --http://www.patpro.net/
When I clicked on your link in WinXP, IE 7, I get a page with the
wording ...
"There is a problem with this website's security certificate.
The security certificate presented by this website was not issued by
a trusted certificate authority.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server.
We recommend that you close this webpage and do not continue to this
website.
Click here to close this webpage.
Continue to this website (not recommended).
More information "
Is CACert a trusted certificate authority? Thanks, - Dave
| |
| Paul Rubin 2007-07-27, 1:17 pm |
| "laredotornado@zipmail.com" <laredotornado@zipmail.com> writes:
> Is CACert a trusted certificate authority? Thanks, - Dave
It's not configured as a trusted CA into most browsers as they ship, no.
You have to import the CA root into your browser if you want that message
to go away.
| |
| laredotornado@zipmail.com 2007-07-27, 7:18 pm |
| On Jul 27, 12:17 pm, Paul Rubin <http://phr...@NOSPAM.invalid> wrote:
> "laredotorn...@zipmail.com" <laredotorn...@zipmail.com> writes:
>
> It's not configured as a trusted CA into most browsers as they ship, no.
> You have to import the CA root into your browser if you want that message
> to go away.
Thanks for your reply. Do you know of a site that sells these multi-
domain security certificates and is a trusted cert authority?
- Dave
| |
| patpro ~ patrick proniewski 2007-07-27, 7:18 pm |
| In article <1185547417.565150.202770@x35g2000prf.googlegroups.com>,
"laredotornado@zipmail.com" <laredotornado@zipmail.com> wrote:
> Is CACert a trusted certificate authority? Thanks, - Dave
if by "trusted certificate authority" you mean "inclusion into
mainstream browsers", no, not yet, but it's their goal #1.
but well, they are trustworthy, and free.
patpro
--
http://www.patpro.net/
| |
| Paul Rubin 2007-07-27, 7:18 pm |
| patpro ~ patrick proniewski <patpro@boleskine.patpro.net> writes:
> if by "trusted certificate authority" you mean "inclusion into
> mainstream browsers", no, not yet, but it's their goal #1.
Well, it's their fantasy #1. They are not getting much traction.
https://bugzilla.mozilla.org/show_bug.cgi?id=215243
|
|
|
|
|