My personal notes on all things technical and factual....

Clayton's Tech Bits

Search this site:

Custom Search

Wed, 01 Apr 2009

/Admin/Apache/HTTPS-SSL: Multiple SSL Certificates in Apache

As I noted in an earlier post, name-based virtual hosting "seemed" to be working. "Seemed". In fact, the virtual hosts were finding the correct web root and loading the correct site, but browsers were consistently giving an error to the effect that the domain name in the certificate and the domain name the browser was pointed to were not the same.

Someone on the cacert.org e-mail list[1] set me straight:

From: Pete Stephenson
To: cacert-support@lists.cacert.org
Subject: Re: Certificate somehow associated with wrong sub-domain?

Both subdomains share the same IP address.

SSL is IP-based, rather than name-based. Specifically, when a client
connects to a server, it establishes the SSL connection prior to
sending the HTTP Host header, so the server has no idea which specific
certificate to send. Depending on the server, it may send the first
certificate mentioned in the configuration file or do something else
entirely.

You can solve this by adding multiple SubjectAltNames to a certificate
(e.g. you'd have a SAN for apps.vancouversolidcomputing.com and
another one for vsc.vancouversolidcomputing.com all in a single
certificate) and telling your server to use the same certificate for
both subdomains.

More details, including a handy shell script which can generate the
required CSR (some options, like the RSA key length are manually
configurable in the shell script; it doesn't prompt the user for the
keylength), are available here:
http://wiki.cacert.org/wiki/VhostTaskForce

Cheers!
-Pete

So what I take from this is:

If one has more then one domain to which one wants / needs to assign more then one SSL certificate, then each domain / certificate needs its own IP address for IP-based virtual hosts.
If one uses just one certificate containing multiple SubjectAltNames one can get away with only one IP address and name-based virtual hosts.

This page[2] talks about the issue in general, and the various somewhat fuzzy and partially supported options -- "Currently the different browsers, servers and CAs all implement different and incompatible ways to use SSL certificates for several VHosts on the same server" -- this situation has not been entirely standardized yet!

This page[3] seems to recommend the cacert.org way to setup Apache with the right kind of multiple SubjectAltName certificate, complete with a script[4] for generating an appropriate Certificate Request and associated key. I used the script to generate the request, and sure enough:

out comes a Certificate Request with multiple SubjectAltNames.

I then replaced *all* certificates in my Apache virtual hosts with this new certificate, ie.

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/vancouversolidcomputing_crt.pem
SSLCertificateKeyFile /etc/apache2/ssl/vancouversolidcomputing_privatekey.pem

in each virtual host block for each sub-domain / web root.

The certificate now works flawlessly in Iceape (which apparently contains the cacert.org Certificate Authority information) and Internet Explorer still complains about an untrusted Certificate Authority. Neither complains about domain names not matching, which was happening before.

[3] contained several other directives in each of the SSL virtual host blocks:

UseCanonicalName On
SSLCipherSuite HIGH
SSLProtocol all -SSLv2

but I have so far found these unnecessary.

[1] https://lists.cacert.org/wws/info/cacert-support
[2] http://wiki.cacert.org/wiki/VhostTaskForce
[3] http://wiki.cacert.org/wiki/CSRGenerator
[4] http://svn.cacert.org/CAcert/Software/CSRGenerator/csr

posted at: 23:30 | path: /Admin/Apache/HTTPS-SSL | permanent link to this entry

Home

Contact

Resumé / C.V.

Links

Categories:

Archives:

Subscribe XML RSS Feed

Wed, 01 Apr 2009