"Michael J. McGillick" wrote:
> Is there a way to use one certificate (I'm using a fake one right now,
> until I get this set up) for each virtual domain I want to set up, or does
> each domain need it's own certificate? In either event, has anyone ever
> done this, or know the steps to set this up?
Nope, every domain needs it's own certificate. I've included a shell
script that will help you easily generate certificates using openssl.
Read it :)
Because the HTTP request is made _after_ the SSL session is negotiated,
you'll have to run your hosts on different IP's (as others pointed out)
OR different ports. Choose whichever you think will work for you. You
can specify a port number in the <VirtualHost ...> tag, along with the
IP.
MSG
#!/bin/sh
#
# This is a self documenting shell script. It is intended that you read
# this file before executing it.
# There are a few things that should be checked further:
# 1) This script creates new private keys for every CSR. As far as I know,
# you can create any number of CSR's using the same key. Are there any
# advantages/disadvantages to creating news keys for each certificate?
# Should we be reusing keys?
# 2) This script unencrypts the private key so that apache can use it.
# Does apache-ssl need the key to function? If not, we can avoid
# keeping an unencrypted key around, and avoid specifying that file
# in apache's configs.
#
# This script should be run in /usr/local/ssl/certs.archive/<DOMAIN>/<YEAR>,
# so that we can keep an archival copy of all certificates, and related
# files.
# Once finished, the certificate should be placed in /usr/local/ssl/certs,
# and the private key (unencrypted) should be in /usr/local/ssl/private
#
# All of the files in /usr/local/ssl/private should be mode 0400, and owned
# by root. Apache will read them as root, before it drops root permissions.
# The original keys should also be mode 0400 and owned by root.
#
PATH=$PATH:/usr/local/ssl/bin
#
# Give the domain name as the first argument to this script.
#
DOMAIN=$1
[ "$DOMAIN" = "" ] && {
echo "No domain given"
exit 1
}
#
# If you wish to have an organization's name attached to this certificate,
# then it should be the second argument to this script.
# Because SSL does not require this field, no default is given. However,
# Thawte may require an organization's name to be attached to a certificate,
# so this script SHOULD be called as:
# ./Generate_SSL_Certificate <DOMAINNAME> "<Organization Name>"
#
ORG=$2
[ "$ORG" = "" ] && {
echo "No organization name given, using \".\""
ORG="."
}
EMAIL=$3
[ "$EMAIL" = "" ] && {
echo "No email address given, using [EMAIL PROTECTED]"
[EMAIL PROTECTED]
}
#
# The first step in generating a certificate is to generate a CSR, or
# certificate request. This step will also generate an encrypted,
# private key, called privkey.pem. Don't lose this file, or the
# password used to encrypt the key. That would be bad.
#
openssl req -new > ${DOMAIN}.csr <<EOF
US
Washington
Ellensburg
${ORG}
.
${DOMAIN}
${EMAIL}
EOF
#
# Now, we remove the password (unencrypt) from the domain's private key.
# The resulting key is used by apache.
#
openssl rsa -in privkey.pem -out ${DOMAIN}.cert.key
#
# Finally, use the CSR (certificate request) and our own private key to
# create a "self signed" certificate. This certificate can be used
# until a certificate signed by a known authority (eg Thawte) is
# available.
#
openssl x509 -in ${DOMAIN}.csr \
-out ${DOMAIN}.cert \
-req -signkey \
${DOMAIN}.cert.key -days 365
#
# I'm renaming this file for consitancy.
#
mv privkey.pem $DOMAIN.privkey.pem
#
# We should now have the following files:
# DOMAIN.privkey.pem The PEM encrypted private key
# DOMAIN.key The unencrypted private key used by apache
# DOMAIN.csr The certificate request used by Thawte
# DOMAIN.cert The certificate that we signed
#
