yes, or u hack the certificates a little bit ;o)I don't think named virtual hosts work with SSL. But, IMHO, it may be possible to run another apache process or virtual host on port different from 443.
to represent more than one domain name... this is working with mozilla based and ie browsers at least... opera doesn't work so far - as i have discovered...
u actually simply abuse the subject alternative field - and put all dns-names in there - its very importend to start with the dns stuff, later on u can put ip and e-mail if needed in there too - but u have to start with dns attributes...
than its working... i'll and an example certificate which is actually working...
looks like those browsers scan the subject-alternative-field of an certificate if they don't find a dns in the subject, i'm not sure, if u have a dns in the subject it doesn't work this way... so i just have a name there ;o) - i havn't took a look at the mozilla sources so far - that's why its only a guess - but its working - and that's the importend fakt! (one may call this a bug of those webbrowser but actually it is still verifying the dns versus the certificate so i think its a feature in this case and i like it)
you can try with your browser - actually the webseite:
https://www.datenschleuder.org ist just using the attached certificate
the necessary ca-root-cert u can get at http://www.datenschleuder.org/pki under public interface of datenschleuder pki... enjoy testing
even without the root-ca-cert the webbrowser should only complain about unknown issuer - but not about wrong dns name...
usally u will see some apache-errors and warnings during start up with those manipulated certificates ;o) - since they doesn't really match the requirements of having the dns in subject field matching the virtual host name and so on...
but its a work around for testing with just one ip - or even production system - depends on the used browsers and security requirements
greetings dalini
-------------------------------
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 15 (0xf)
Signature Algorithm: sha1WithRSAEncryption
Issuer: [EMAIL PROTECTED],CN=Datenschleuder Operational CA 001,OU=pki,O=datenschleuder,DC=org
Validity
Not Before: Dec 14 15:07:27 2003 GMT
Not After : Dec 13 15:07:27 2004 GMT
Subject: CN=Datenschleuder Webserver,DC=Server,O=Datenschleuder,DC=Org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:c4:38:49:3b:d4:eb:02:cc:fe:5f:cc:a1:8a:40:
1d:e4:60:d7:cd:03:92:90:44:4a:c8:7a:d7:d0:40:
37:74:00:8c:fe:a5:64:66:88:a6:55:4e:1a:30:da:
b4:6b:be:b0:1b:65:58:a4:28:82:5d:6f:d9:9f:4c:
27:30:28:83:5a:12:04:58:f8:a8:e4:d8:ee:84:44:
15:97:40:1b:b0:2c:b9:98:d4:0c:2a:92:1e:16:f7:
bc:e7:bb:22:c1:cc:53:93:22:3e:84:21:8d:f1:3e:
3b:87:81:a6:10:16:3d:5c:f2:45:2f:16:59:04:44:
a1:df:6b:88:be:11:1b:57:d3
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
X509v3 Key Usage:
Digital Signature, Non Repudiation, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Comment:
WWW-Server of Datenschleuder
X509v3 Subject Key Identifier:
5B:88:C9:C8:18:F9:23:FF:39:60:72:0F:02:B9:6A:2E:D1:51:40:78
X509v3 Authority Key Identifier:
keyid:75:ED:B4:B4:A3:43:C3:5B:20:08:75:D6:A0:FF:B0:2B:B5:41:1B:4E
DirName:/DC=org/O=datenschleuder/OU=pki/CN=Datenschleuder Operational CA 001/[EMAIL PROTECTED]
serial:00
X509v3 Subject Alternative Name:
DNS:*.datenschleuder.org, DNS:*.fuekw.de, DNS:*.x-dense.org, DNS:www.schmuckkommo.de, IP Address:217.172.178.209, email:[EMAIL PROTECTED]
X509v3 Issuer Alternative Name:
email:[EMAIL PROTECTED]
Netscape CA Revocation Url:
http://www.datenschleuder.org/pki/ca-001/pub/crl/cacrl.crl
Netscape Revocation Url:
http://www.datenschleuder.org/pki/ca-001/pub/crl/cacrl.crl
X509v3 CRL Distribution Points:
URI:http://www.datenschleuder.org/pki/ca-001/pub/crl/cacrl.crl
URI:ldap://ldap.datenscleuder.org/cn=Datenschleuder Operational CA 001,ou=pki,o=datenschleuder,dc=org?certificateRevocationList
Signature Algorithm: sha1WithRSAEncryption
d0:50:56:4c:5b:f4:82:70:b9:8f:eb:10:b6:64:6f:61:25:57:
ec:54:85:c1:77:8a:7d:d1:25:9e:07:3f:56:ab:bc:55:51:f3:
c4:69:a0:1d:d2:86:e3:97:32:df:87:ac:20:a1:98:5e:23:7e:
a9:b2:a7:2f:7e:a8:9f:1d:63:5f:08:9f:17:37:75:06:03:6a:
d7:dd:8a:19:ac:3a:f7:a4:e8:12:81:22:80:f0:37:68:fd:c7:
63:a6:55:84:c6:e1:cd:1e:fb:d1:09:b8:15:f1:60:58:bb:f3:
2d:86:67:0b:fe:3f:67:13:fe:fc:0c:b2:c4:18:83:87:9e:e4:
07:65:06:49:ae:49:05:c9:ab:14:b2:cf:fa:43:25:39:46:61:
20:17:04:9f:91:0c:30:c8:b6:0f:b8:c1:69:e7:23:dc:ac:04:
d9:f8:b1:1a:2e:09:19:25:44:87:ef:95:8f:ed:a9:01:5c:db:
a8:a6:7a:7d:c7:2b:86:0c:9d:e8:0b:56:fb:d2:41:da:8e:6c:
67:c0:0a:e5:39:3f:87:d1:7e:c4:4f:dc:8a:fd:45:f2:6d:72:
97:2e:04:0b:47:41:62:d5:e1:f3:bd:90:93:95:9d:f0:97:98:
ae:21:17:05:af:55:b4:9f:5e:80:78:b6:4a:73:7b:db:dd:d9:
fa:34:2e:44
------------------------------------------------------- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
