There are two ways to solve this.
1. Buy a certificate for each site you are securing, ie each specific
hostname.
2. Buy a wildcard certificate from Thawte. This is only cost effective for 5
or more sites.
It doesn't matter whether the hostname is an A or CNAME type record in your
DNS, but I'd recommend you use an A type where you can. I don't believe that
web browsers do any reverse lookup.
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
-----Original Message-----
From: Gary Algier [mailto:[EMAIL PROTECTED]]
Sent: 23 August 2000 16:25
To: modssl-users
Subject: SSL Certs and IP-Based Virtual Hosting
I am trying to figure out to what is an SSL Certificate tied. Is it
the value of ServerName or the canonical name from a reverse DNS
lookup or the forward lookup? Or do all virtual hosts use the same
certificate?
For example:
I want to run multiple virtual servers on a single system:
ServerName IP
first.mydomain.com 192.168.10.1
second.mydomain.com 192.168.10.2
however, let use say that the DNS says:
first.mydomain.com. IN CNAME server.mydomain.com
server.mydomain.com. IN A 192.168.10.1
second.mydomain.com. IN A 192.168.10.2
1.10.168.192.in-addr.arpa. IN PTR server.mydomain.com.
2.10.168.192.in-addr.arpa. IN PTR second.mydomain.com.
In other words, server.mydomain.com already exists and I just
want to use its IP address as first.mydomain.com.
So, what do I register with the Certificate Authority? If it is
tied to the reverse DNS, would I be better not running the web
server on the main IP address of server.mydomain.com and then put
first.mydomain.com on its own address?
I have seen messages to the effect that if one uses a web hosting
service it is their responsibility to get the certficate as it is
tied to their IP addresses in some way, however this does not make
sense to me in that if I do a forward and reverse lookup of our
company's web server (hosted outside), it looks like it is ours:
% host www.ulticom.com
www.ulticom.com has address 207.106.32.104
% host 207.106.32.104
104.32.106.207.IN-ADDR.ARPA domain name pointer www.ulticom.com
(I control the A record, they control the PTR record).
I have also seen mention in the archives (and FAQ) that name-based virtual
hosting does not work, but I am using IP-based virtual hosting.
--
Gary Algier, WB2FWZ [EMAIL PROTECTED] +1 856 787 2758
Ulticom Inc., 1020 Briggs Rd, Mt. Laurel, NJ 08054 Fax:+1 856 866 2033
This space intentionally left blank by the censors.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
