SSL connection with Apache and Ubuntu

There are tons of generic tutorials for installing SSL certificates with Apache. Any of them should work.

But not all certificates are equal. For example, some cheap certificates require an intermediate certificate to be installed as well. So it is best to refer to your certificate vendor's instructions. Most vendors have instructions for Apache somewhere on their website. Links to those instructions can usually be found in the e-mails they send you.

Also, if you want to secure two different sites, you'll probably need to buy another IP address.

Hi guys

I have similar issue,

I want to host few secure domains with a different base names (secure.laraclaire.com.au and secure pierinadesigns.com.au), can i do this using single IP ? and how?

We have two secure. certs for single domains

thanks

quote–-------------------

I currently have two virtual hosts configured on my server. I need to create a HTTPS connection for both of the virtual hosts on my server, I have already created the certificate and the key using Comodo (www.comodo.com). My question is: To which file should I add the certificate, key and the .ca-bundle paths so the HTTPS connection starts working?

You can, but it depends on Server Name Indication support by both the server and the client. Without SNI, there's a catch-22: "normal" HTTP host-based virtual servers depend on the Host: header to tell the server which site is requested. With HTTPS, the headers aren't sent until after the channel is created and secured, which relies on the presentation of the certificate. And, without the headers, it (as originally designed) has no way of knowing which certificate to present.

SNI fixes this, but isn't universally supported. IE on Windows XP is probably the most notable browser/OS on the no-support list, 'tho the default browser on Android 2.x is probably the most disappointing.

It's also possible to run two SSL sites on the same IP if you run them on different ports. For example, you might run one site on port 443 (default) and the other on port 445. This doesn't work very well if you expect users to type the domain name into their browsers, but it's perfectly OK if you're using a script to redirect users, or if the SSL site is only used for login forms and the like.

What about "Subject Alternative Name" field?

@sweh:

What about "Subject Alternative Name" field?
That could work, but good luck finding a cheap SSL vendor that allows two unrelated domains to be tied to a single certificate. Also, whenever you add another domain, you'll have to get a new certificate.

On the other hand, if it's a self-signed certificate, you're free to do whatever you want.

@hybinet:

@sweh:

What about "Subject Alternative Name" field?

That could work, but good luck finding a cheap SSL vendor that allows two unrelated domains to be tied to a single certificate. Also, whenever you add another domain, you'll have to get a new certificate.

On the other hand, if it's a self-signed certificate, you're free to do whatever you want.

I am currently vhosting 2 SSL sites from a single cert using "Subject Alternative" (this avoids SNI and is compatible with earlier versions of Windows IE).

The cert I have purchased supports 5 Alternative names and was nice and cheap from 'GoDaddy'.

The nice chaps at Linode support helped me out when I thought I needed an extra IP - but tested successfully without SNI on a single IP using Windows IE6 with no problems!

@Deadpan110:

GoDaddy
Very interesting. GoDaddy was the last company I would have expected to sell certs with unrelated domains in the Subject Alternative Name field. Did you register all 5 domains with GoDaddy? Would it make a difference if I tried to add a non-GoDaddy domain?

@hybinet:

Very interesting. GoDaddy was the last company I would have expected to sell certs with unrelated domains in the Subject Alternative Name field. Did you register all 5 domains with GoDaddy? Would it make a difference if I tried to add a non-GoDaddy domain?

I have no domains registered with them - and to be fair, I have not used unrelated domains on it (mail.mydomain.tld, secure.mydomain.tld) - although the option within their SSL cert control panel does suggest you can use whatever you want.

I also initially had problems navigating their setup and phoned customer support who also indicated I could use what ever domain I wanted as Alternative (20 min call with 3 min wait from Aus to USA - wow… who wouldda thought it).

I am wanting to add an unrelated domain and will attempt to do so this weekend - so I will keep you posted.

Anyways… back to the subject of this post:

@ccane:

To which file should I add the certificate, key and the .ca-bundle paths so the HTTPS connection starts working?

Most good providers will/should give examples on howto use certs within your web server setup.

(remember your certs should always be treated as more personal than your crown jewels when deploying them - keep them secure and safe).

What a lot of companies do not provide are howtos on using these same certs for other services - you have purchased a SSL cert that can be used for other services (like SMTP, POP, IMAP etc) - but there is usually plenty of documentation available to get you up and running when you search for it.