[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: off topic: Apache ssl configuration.



Hi,
Thanks for the help,there is anoher aspect that I dont understand.
If I am going to hosts several domain on the same machines using
virtual hosts. No problem buying more keys from verisign. 
Can I use several diferent keys in the same httpd.conf (under different
virtual ...). So several server.key , server.crt file would be for
the same server.
thanks,
Zohar.
On Thu, 11 May 2000, Ilya Konstantinov wrote:

> On Thu, May 11, 2000 at 06:52:04PM +0300, Zohar Friling wrote:
> > Hello,
> > Please accuse my English, I hope that I will be clear enough.
> > I need help to understand the options I have will configuring apache-1.3.6
> > + mod_ssl-2.3.11-1.3.6 and a key from verisign.
> > unfortunately verisign dosent give match help nor did I found
> > some info on HOWTO's. 
> > 
> > I am now running my web server on several machines with one key and crt
> > file.
> > How can we hosts several web servers (difrent domains) on the
> > same machines using virtual server. 
> > The  domains names are not from the pattern of *.domain.com which enable
> > the use of wiled card key file.
> > So I need to use more then one key, crt files.
> > How could I achieve that?
> > Is It possible?
> > If so, How can I configure that.
> 
> As a security measure, the domain name in the certificate's CN
> (Common Name) parameter must match your domain.
> Otherwise, in Netscape, you'll get only one warning screen
> (as opposed to about 4 you'll get if your certificate's not
> signed by a known CA). Don't know about IE.
> Modern browsers can also support wildcards in the CN
> (*.domain.com), but I'd guess the certificate authority will
> require more money for it (I know Thawte offers this, not sure
> about Verisign. Thawte is also more Linux-friendly,
> cheaper and even has an IRC technical support room.)
> 
> I'd suggest you'll just create some secure.domain.com vhost
> and do all your commerce on it. No way around it, since a key
> must much the public key, and the public key is digitally-signed
> by the CA (and ANY modification will invalidate the signature.)
> 
> -- 
> Best regards,
> Ilya Konstantinov a.k.a Toastie
> [http://toast.demon.co.il]
> 
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
> 


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il