Am Thu, 29 Mar 2018 17:13:10 +0200
schrieb Michael Hekeler <[email protected]>:
> On Thu, Mar 29, 2018 at 11:58:09AM +0200, Markus Rosjat wrote:
> > Hi there,
> >
> > its not really an issue but I noticed if I want to substitute a path
> > for the tls key or cert I get a syntax error from httpd -n
> >
> > So is there some special syntax for this or is it simply not
> > possible to do something like
> >
> > tls_key ="/path/to/key"
> > tls_cert ="/path/to/cert"
> >
> > server "domain.tld" {
> >
> > tls {
> > key $tls_key
> > certificate $tls_cert
> > }
> >
> > }
>
> Am 29.03.2018 17:13 schrieb Michael Hekeler <[email protected]>:
> >
> > Why not type "/path/to/{ key,cert }" inside the tls declaration?
> > You don´t have to use these filenames multiple times in httpd.conf.
> > Only once. So why do you want to define a macro for them?
> >
> SNI ? Server definitions with different name / root but the same
> certificate?
Ah - I see what you try to do...
But SNI doesn´t mean one single certificate for multiple hostnames
(this you can do with multiple entries in the certificate subject alt
name).
SNI means to server multiple hostnames on ONE ip address
SNI is an extension by which a client (e.g. a webbrowser) indicates
(hence the name: server name INDICATION) one of these multiple
hostnames to be in the TLS handshake. Then the server can choose the
right certifificate to present to the client.
So if you want to serve domain1, domain2 and domain3 each on https then
you need
cert1 for domain1 and
cert2 for domain2 and
cert3 for domain3
If every domain has its own ip then you don´t need SNI.
But if all domains share the same ip, then the client and the server
must be SNI compatible.
When the client requests domain2 the server will be able to present
cert2.
Of course you can issue a single cert with domain1, domain2 and
domain3 in certificate´s subject name and configure the server to
present this cert on every request. But that´s no SNI.
