Re: More questions about multiple certifications.

Wed, 10 Mar 1999 02:14:56 -0500 

On Tue, Mar 09, 1999, James Simmons wrote:

> Yes I meant a single apache instance with more than one virtual host. Okay
> I make a different certification for each host. In the directions for
> mod_ssl you do a configure --with-apache=../  ...
> --with-crt=/path/to/your/sert.cert --with-key=/path/to/your/server.key.
> For multiple certificatiosn you leave these options out. Also should you 
> do a make certificate in this case? 

No, `make certificate' is a convinience service and nothing more.  When you
run HTTPS for production machines (and machines running more virtual hosts are
usually of this type), you usually get the cert/key from a public CA or at
least from other external sources. And because of the multiple virtual hosts
you've to edit the httpd.conf anyway. So, when you setup a large production
machine you will usually neither use --with-crt nor `make certificate'.
Instead you install with no cert/key, then adjust the configuration manually.

> For apache-ssl you  have to edit your
> httpd.conf file. Example for apache-ssl is 
> <VirtualHost 192.168.0.11:443>
>    ....
>    SSLCertificateKeyFile /path/to/my.key
>    SSLCertificateFile    /path/to/my.cert
>    SSLFakeBasicAuth
>    SSLVerifyDepth        10
>    SSLVerifyClient       0
>    SSLLogFile            /path/to/ssl_cipher_log
> </virtualHost>        
> 
> Does this also work for mod_ssl as well?

Sure, mod_ssl was originally derived from Apache-SSL (although in the meantime
only approx. 15% of Apache-SSL's code is remaining), so the above config
snippet works with mod_ssl, too. But when you use it directly as above, you
use the compatibility layer for mapping obsolete directive names. Instead I
recommend you to use the canonical mod_ssl syntax:

<VirtualHost 192.168.0.11:443>
    ....
    SSLCertificateKeyFile /path/to/my.key
    SSLCertificateFile    /path/to/my.cert
    SSLOptions            +FakeBasicAuth
    SSLVerifyDepth        10
    SSLVerifyClient       none
    SSLLog                /path/to/ssl_cipher_log
</VirtualHost>      
                                       Ralf S. Engelschall
                                       [EMAIL PROTECTED]
                                       www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to