# Multiple certificates with namebased virtual hosts with 1 IP

## pmgas

Hi

I wonder if it is possible to use multiple x509 ssl certificates with

only one real IP on a system with many namebased virtual hosts under

apache 2.0.50?

Is it possible to use an own certificate pro domain?

My recherche results were contradictory ...

Thank you very much

best regards 

peda

----------

## intgr

 *pmgas wrote:*   

> I wonder if it is possible to use multiple x509 ssl certificates with
> 
> only one real IP on a system with many namebased virtual hosts under
> 
> apache 2.0.50?

 

No, it is not.

That's because the HTTPS certificate is sent to the client before the client provides the 'Host' HTTP header, therefore your server wouldn't know which certificate to supply.

----------

## tuxmin

Nope, it does not work. Here the official statement from apache.org:

 *Quote:*   

> 
> 
> Why can't I use SSL with name-based/non-IP-based virtual hosts?
> 
> The reason is very technical. Actually it's some sort of a chicken and egg problem: The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established Apache/mod_ssl has to negotiate the SSL protocol parameters with the client. For this mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to dispatch to the correct virtual server Apache has to know the Host HTTP header field. For this the HTTP request header has to be read. This cannot be done before the SSL handshake is finished. But the information is already needed at the SSL handshake phase. Bingo!
> ...

 

----------

## pmgas

Hi guys

I love this forum!!!!! You are great, thank you very much!!

best regards

peda

----------

## Trejkaz

This is why we need STARTTLS for HTTP...

----------

## maalth

You can't use 443, but you can use extra ports for ssl.  I will post my config on this later.

----------

## Trejkaz

 *maalth wrote:*   

> You can't use 443, but you can use extra ports for ssl.  I will post my config on this later.

 

Do web browsers support SRV lookups?  If they do, then you could do this without users even having to know the other ports.

----------

## scoon

 *tuxmin wrote:*   

> Nope, it does not work. Here the official statement from apache.org:
> 
>  *Quote:*   
> 
> Why can't I use SSL with name-based/non-IP-based virtual hosts?
> ...

 

Hey there, 

Not to dig up a REALLY old topic, but..... What about domain certificates ?  I haven't been able to find anything about them.  Any suggestions ?

regards, 

scoon

----------

## intgr

 *Trejkaz wrote:*   

> Do web browsers support SRV lookups?

 

Don't hope. No HTTP client or library has a clue about SRV records, AFAIK. And even if one or two did support SRV, it would be useless without mainstream support.

 *scoon wrote:*   

> What about domain certificates?

 

What's a domain certificate? Sounds like vaporware, because name-based HTTPS virtual hosting is technically impossible.

----------

## scoon

 *Quote:*   

> 
> 
> What's a domain certificate? Sounds like vaporware, because name-based HTTPS virtual hosting is technically impossible.
> 
> 

 

Here is what I am hoping.  I have a domain foo.com  I want to make one certificate for that domain.  So, other urls like 123.foo.com and 456.foo.com will be able to use that "domain certificate".

Does this sound reasonable.

regards, 

scoon

----------

## UberLord

You can do that, just ensure that the common name is

*.foo.com

----------

## Trejkaz

*.foo.com doesn't seem to work, actually.  Firefox displays the domain mismatch dialog box.

This method however, does not cause a problem:

https://host1.way3.vhosts.cacert.org/

https://host2.way3.vhosts.cacert.org/

----------

## tuxmin

I'm not sure what your two links shall prove or not prove...

Anyway, it's some time ago that I gave wildcard certificates a try -- but it works. You surely made a mistake, when creating the certificate. Even some of the big CAs already sell wildcard certificates. So all modern browsers/webservers should handle them well.

Hth, Alex!!!

----------

## scoon

Hey there, 

Thanks. I'll try. 

regards, 

scoon

----------

## Trejkaz

 *tuxmin wrote:*   

> I'm not sure what your two links shall prove or not prove...
> 
> Anyway, it's some time ago that I gave wildcard certificates a try -- but it works. You surely made a mistake, when creating the certificate. Even some of the big CAs already sell wildcard certificates. So all modern browsers/webservers should handle them well.

 

Well, I'm not saying they're not possible, I'm saying that using *.domainname.com is obviously NOT the way to do it.

----------

## scoon

Hey there(s), 

Well I have tested out wildcard certificates and they just don't work when I roll them on my own.  By not working, I mean that the browser complains that the certificate does NOT match the url.  I was hoping to be able to have one certificate that could be applied to multiple sites on a machine.  It just doesn't seem possible.  Anyway, thanks for the effort.

regards, 

scoon

----------

## Trejkaz

When you click the two links I pasted above, do they not work?  Those two different hostnames actually have the same certificate.  It isn't a wildcard certificate, but rather a certificate with subjectAltName for supporting multiple hosts.

----------

## scoon

 *Trejkaz wrote:*   

> When you click the two links I pasted above, do they not work?  Those two different hostnames actually have the same certificate.  It isn't a wildcard certificate, but rather a certificate with subjectAltName for supporting multiple hosts.

 

Hey now, 

That is very interesting.  What about having more than 2 virtuals (more like 10+) ?

regards, 

scoon

----------

## Trejkaz

I've been told it can be done, but I've never tried it.

I'm not sure CAcert (who I'm using for my certificate) actually permit subjectAltName in the first place, so it's hard to test for sure.

----------

## tuxmin

I guess you are on the wrong track. It's called wildcard certificate as the CN has to be of the form *.mydomain

I used a CACert certificate for my tests, too -- as I laid out, it worked perfectly.

Hth, Alex!!!

----------

## Trejkaz

Well, all I know is that my *.trypticon.org resulted in an immediate warning when visiting trypticon.org or any of its subdomains.  At least with the CAcert one.

----------

## tuxmin

A warning about an unknown CA? Did you import the CAcert's root certificate into your browser?

Alex!!!

----------

