Multiple domains on https (apache)

Aleksandar Milivojevic amilivojevic at pbl.ca
Thu Feb 24 16:14:05 UTC 2005 

Mark wrote:
> I have posted a related question 2 weeks ago or so, now I wanted to actually try this...
> 
> I have 2 domains running on the same apache server (Version 2.0.50 from Fedora Core 1) with mod_ssl.
> I have 2 certificates, one for each domain.
> I set up the domains with the SSL configuration directives in each <VirtualHost>.
> The problem is, apache (or mod_ssl?) uses the first certificate for both domains/virtual hosts (or probably all 10 if I had that
> many).
> Is this normal or is there something wrong???

Mark,

This is normal, and there were some discussions in replies you already 
got why this is normal.

Here are some workarounds that may or may not be applicable to your case.

If you are using self-signed certificates, or if you are running your 
own CA, than one option could be to use one certificate instead of two. 
  For common name (CN) in certificate, place main name of your web 
server.  Than in x509v3 extensions section, place something like this:

subjectAltName: DNS:www.domain1.com,DNS:www.domain2.com,IP:1.2.3.4

You can place as many DNS names and/or IP addresses inside as you wish. 
  Browsers (at least couple of browsers that I tested) will consider 
certificate to be valid if CN or any of the names in subjectAltName 
matches the host name in URL.  Some will even consider it to be valid if 
DNS lookup of www.domain1.com or www.domain2.com resolves to the IP 
address specified in subjectAltName.

I encurage you to test and see if this approach works for all web 
browsers you will be using (or expect visitors of your web site will be 
using), before jumping head first into implementing this solution.

If you need to have certificate signed by "well known" CA (definition of 
"well known" is that its root certificate is distributed with major web 
browsers), you'll have to find one that will be willing to sell you such 
certificate.  Most sell one certificate per domain only, or charge 
fortune for something called "wildcard certificate" (certificate that 
has "wildcard" in CN, such as "*.domain.com").  If you manage to find 
one that will issue you certificate with subjectAltName field, they'll 
probably charge you for it as if you bought two certificates (since it 
will be valid for two domains).

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list