On Tue, Mar 09, 1999, James Simmons wrote:
> Yes I meant a single apache instance with more than one virtual host. Okay
> I make a different certification for each host. In the directions for
> mod_ssl you do a configure --with-apache=../ ...
> --with-crt=/path/to/your/sert.cert --with-key=/path/to/your/server.key.
> For multiple certificatiosn you leave these options out. Also should you
> do a make certificate in this case?
No, `make certificate' is a convinience service and nothing more. When you
run HTTPS for production machines (and machines running more virtual hosts are
usually of this type), you usually get the cert/key from a public CA or at
least from other external sources. And because of the multiple virtual hosts
you've to edit the httpd.conf anyway. So, when you setup a large production
machine you will usually neither use --with-crt nor `make certificate'.
Instead you install with no cert/key, then adjust the configuration manually.
> For apache-ssl you have to edit your
> httpd.conf file. Example for apache-ssl is
> <VirtualHost 192.168.0.11:443>
> ....
> SSLCertificateKeyFile /path/to/my.key
> SSLCertificateFile /path/to/my.cert
> SSLFakeBasicAuth
> SSLVerifyDepth 10
> SSLVerifyClient 0
> SSLLogFile /path/to/ssl_cipher_log
> </virtualHost>
>
> Does this also work for mod_ssl as well?
Sure, mod_ssl was originally derived from Apache-SSL (although in the meantime
only approx. 15% of Apache-SSL's code is remaining), so the above config
snippet works with mod_ssl, too. But when you use it directly as above, you
use the compatibility layer for mapping obsolete directive names. Instead I
recommend you to use the canonical mod_ssl syntax:
<VirtualHost 192.168.0.11:443>
....
SSLCertificateKeyFile /path/to/my.key
SSLCertificateFile /path/to/my.cert
SSLOptions +FakeBasicAuth
SSLVerifyDepth 10
SSLVerifyClient none
SSLLog /path/to/ssl_cipher_log
</VirtualHost>
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]