You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by saibaba Duggirala <sa...@yahoo.com> on 2007/03/08 16:21:35 UTC
[users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
hi,
can anyone please let me know what is the procedure to add multiple SSLCACertificateFile in vhost.conf in apache
So far we have been using only one file, shown below in vhost.conf
SSLCACertificateFile conf/ssl/nsm_ca1.cr
We would like to use another root certificate along with the above one , so is it as simple as adding another line like above
SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is there something else that I should be doing
Thanks,
saibaba
---------------------------------
Get your own web address.
Have a HUGE year through Yahoo! Small Business.
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by Krist van Besien <kr...@gmail.com>.
On 3/8/07, saibaba Duggirala <sa...@yahoo.com> wrote:
> What if the second cert we took from a diff company
That on should allready be valid also, so just swap certs and restart
your server.
> In general the server should be able to support multiple CA certificate
> files right?Our web browsers does that now -isn't it -correct me please if
> I am wrong
You are. Apache can't support multiple certs on one signle IP. How is
apache to know which cert to sent to a browser upon connecting?
Krist
--
krist.vanbesien@gmail.com
Bremgarten b. Bern, Switzerland
--
A: It reverses the normal flow of conversation.
Q: What's wrong with top-posting?
A: Top-posting.
Q: What's the biggest scourge on plain text email discussions?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by matt farey <ma...@gmail.com>.
saibaba Duggirala wrote:
> What if the second cert we took from a diff company
> In general the server should be able to support multiple CA
> certificate files right?Our web browsers does that now -isn't it
> -correct me please if I am wrong
>
Limitation of Apache, 1 SSL vhost per IP.
BUT this article does explain how to get round it, hence why I sent it
to you:
http://www-128.ibm.com/developerworks/web/library/wa-multissl.html#resources
you could use another port as well.
> so in vhost.conf for scurehttps the following should be able to work
> -right
> #old one
> SSLCACertificateFile conf/ssl/nsm_ca.crt
> #new one
> SSLCACertificateFile conf/ssl/Commercial_CPE_Root_Cert.pem
>
> #these are left as before
> SSLCertificateFile conf/ssl/nsm.crt
> SSLCertificateKeyFile conf/ssl/nsm.key
> SSLCertificateChainFile conf/ssl/nsm.crt
>
> */matt farey <ma...@gmail.com>/* wrote:
>
>
>
> Dan_Mitton@Notes.YMP.GOV wrote:
> >
> > Why would you need to support both SSL certificates? From what I've
> > seen (at least with Verisign) when you renew a certificate, it adds
> > the renewal period to the end of your current expiration period, but
> > is valid from the date you renew! As soon as you get the new
> > certificate, you should be able to use it. You don't need to
> wait for
> > the old one to expire to do the swap.
> >
> >
> good point!
>
>
> > Please respond to users@httpd.apache.org
> >
> > To: users@httpd.apache.org
> > cc: (bcc: Dan Mitton/YD/RWDOE)
> > Subject: Re: [users@httpd] Re: adding multiple
> > SSLCACertificateFile in vhost.conf
> >
> >
> > LSN: Not Relevant
> > User Filed as: Not a Record
> >
> >
> >
> > saibaba Duggirala wrote:
> > > yes, more than one SSL enabled
> > > servername on a single IP address, single NIC
> > >
> > > The cureent certificate is expiring in couple of months so we
> want to
> > > seamleesly support the current one until it expires along with
> the new
> > > one
> > >
> > >
> > as far as I am aware SSL certs cannot be combined on a single
> IP, you
> > need to either use 2 NICs or use IP aliasing to bind 2 IP
> addresses to a
> > single NIC, and then in your vhost conf you can set up the certs one
> > each per IP, here's a short article:
> >
> http://www-128.ibm.com/developerworks/web/library/wa-multissl.html#resources
> > matt
> >
> > > */matt farey /* wrote:
> > >
> > >
> > >
> > > saibaba Duggirala wrote:
> > > > hi,
> > > > can anyone please let me know what is the procedure to add
> > multiple
> > > > SSLCACertificateFile in vhost.conf in apache
> > > >
> > > > So far we have been using only one file, shown below in
> vhost.conf
> > > > SSLCACertificateFile conf/ssl/nsm_ca1.cr
> > > >
> > > > We would like to use another root certificate along with the
> > > above one
> > > > , so is it as simple as adding another line like above
> > > > SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is
> > there
> > > > something else that I should be doing
> > > >
> > > >
> > > > Thanks,
> > > > saibaba
> > > >
> > > > Get your own web address.
> > > >
> > > > Have a HUGE year through Yahoo! Small Business.
> > > >
> > >
> > >
> > > depends on your setup, are you trying to host more than one SSL
> > > enabled
> > > servername on a single IP address, single NIC, or what?
> > >
> > >
> > > --
> > > Matthew Farey
> > >
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > The official User-To-User support forum of the Apache HTTP Server
> > > Project.
> > > See for more info.
> > > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > > For additional commands, e-mail: users-help@httpd.apache.org
> > >
> > >
> > > Sucker-punch spam
> > >
> >
> > > with award-winning protection.
> > > Try the free Yahoo! Mail Beta.
> > >
> >
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP
> Server Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> >
>
> --
> Matthew Farey
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> No need to miss a message. Get email on-the-go
> <http://us.rd.yahoo.com/evt=43910/*http://mobile.yahoo.com/mail>
> with Yahoo! Mail for Mobile. Get started.
> <http://us.rd.yahoo.com/evt=43910/*http://mobile.yahoo.com/mail>
--
Matthew Farey
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by saibaba Duggirala <sa...@yahoo.com>.
What if the second cert we took from a diff company
In general the server should be able to support multiple CA certificate files right?Our web browsers does that now -isn't it -correct me please if I am wrong
so in vhost.conf for scurehttps the following should be able to work -right
#old one
SSLCACertificateFile conf/ssl/nsm_ca.crt
#new one
SSLCACertificateFile conf/ssl/Commercial_CPE_Root_Cert.pem
#these are left as before
SSLCertificateFile conf/ssl/nsm.crt
SSLCertificateKeyFile conf/ssl/nsm.key
SSLCertificateChainFile conf/ssl/nsm.crt
matt farey <ma...@gmail.com> wrote:
Dan_Mitton@Notes.YMP.GOV wrote:
>
> Why would you need to support both SSL certificates? From what I've
> seen (at least with Verisign) when you renew a certificate, it adds
> the renewal period to the end of your current expiration period, but
> is valid from the date you renew! As soon as you get the new
> certificate, you should be able to use it. You don't need to wait for
> the old one to expire to do the swap.
>
>
good point!
> Please respond to users@httpd.apache.org
>
> To: users@httpd.apache.org
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: Re: [users@httpd] Re: adding multiple
> SSLCACertificateFile in vhost.conf
>
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
>
>
> saibaba Duggirala wrote:
> > yes, more than one SSL enabled
> > servername on a single IP address, single NIC
> >
> > The cureent certificate is expiring in couple of months so we want to
> > seamleesly support the current one until it expires along with the new
> > one
> >
> >
> as far as I am aware SSL certs cannot be combined on a single IP, you
> need to either use 2 NICs or use IP aliasing to bind 2 IP addresses to a
> single NIC, and then in your vhost conf you can set up the certs one
> each per IP, here's a short article:
> http://www-128.ibm.com/developerworks/web/library/wa-multissl.html#resources
> matt
>
> > */matt farey /* wrote:
> >
> >
> >
> > saibaba Duggirala wrote:
> > > hi,
> > > can anyone please let me know what is the procedure to add
> multiple
> > > SSLCACertificateFile in vhost.conf in apache
> > >
> > > So far we have been using only one file, shown below in vhost.conf
> > > SSLCACertificateFile conf/ssl/nsm_ca1.cr
> > >
> > > We would like to use another root certificate along with the
> > above one
> > > , so is it as simple as adding another line like above
> > > SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is
> there
> > > something else that I should be doing
> > >
> > >
> > > Thanks,
> > > saibaba
> > >
> > > Get your own web address.
> > >
> > > Have a HUGE year through Yahoo! Small Business.
> > >
> >
> >
> > depends on your setup, are you trying to host more than one SSL
> > enabled
> > servername on a single IP address, single NIC, or what?
> >
> >
> > --
> > Matthew Farey
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> > Sucker-punch spam
> >
>
> > with award-winning protection.
> > Try the free Yahoo! Mail Beta.
> >
>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Matthew Farey
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
No need to miss a message. Get email on-the-go
with Yahoo! Mail for Mobile. Get started.
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by matt farey <ma...@gmail.com>.
Dan_Mitton@Notes.YMP.GOV wrote:
>
> Why would you need to support both SSL certificates? From what I've
> seen (at least with Verisign) when you renew a certificate, it adds
> the renewal period to the end of your current expiration period, but
> is valid from the date you renew! As soon as you get the new
> certificate, you should be able to use it. You don't need to wait for
> the old one to expire to do the swap.
>
>
good point!
> Please respond to users@httpd.apache.org
>
> To: users@httpd.apache.org
> cc: (bcc: Dan Mitton/YD/RWDOE)
> Subject: Re: [users@httpd] Re: adding multiple
> SSLCACertificateFile in vhost.conf
>
>
> LSN: Not Relevant
> User Filed as: Not a Record
>
>
>
> saibaba Duggirala wrote:
> > yes, more than one SSL enabled
> > servername on a single IP address, single NIC
> >
> > The cureent certificate is expiring in couple of months so we want to
> > seamleesly support the current one until it expires along with the new
> > one
> >
> >
> as far as I am aware SSL certs cannot be combined on a single IP, you
> need to either use 2 NICs or use IP aliasing to bind 2 IP addresses to a
> single NIC, and then in your vhost conf you can set up the certs one
> each per IP, here's a short article:
> http://www-128.ibm.com/developerworks/web/library/wa-multissl.html#resources
> matt
>
> > */matt farey <ma...@gmail.com>/* wrote:
> >
> >
> >
> > saibaba Duggirala wrote:
> > > hi,
> > > can anyone please let me know what is the procedure to add
> multiple
> > > SSLCACertificateFile in vhost.conf in apache
> > >
> > > So far we have been using only one file, shown below in vhost.conf
> > > SSLCACertificateFile conf/ssl/nsm_ca1.cr
> > >
> > > We would like to use another root certificate along with the
> > above one
> > > , so is it as simple as adding another line like above
> > > SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is
> there
> > > something else that I should be doing
> > >
> > >
> > > Thanks,
> > > saibaba
> > >
> > > Get your own web address.
> > >
> > > Have a HUGE year through Yahoo! Small Business.
> > >
> >
> >
> > depends on your setup, are you trying to host more than one SSL
> > enabled
> > servername on a single IP address, single NIC, or what?
> >
> >
> > --
> > Matthew Farey
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > The official User-To-User support forum of the Apache HTTP Server
> > Project.
> > See for more info.
> > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> > " from the digest: users-digest-unsubscribe@httpd.apache.org
> > For additional commands, e-mail: users-help@httpd.apache.org
> >
> >
> > Sucker-punch spam
> >
> <http://us.rd.yahoo.com/evt=49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html>
> > with award-winning protection.
> > Try the free Yahoo! Mail Beta.
> >
> <http://us.rd.yahoo.com/evt=49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html>
>
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
>
--
Matthew Farey
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by Da...@Notes.YMP.GOV.
Why would you need to support both SSL certificates? From what I've seen
(at least with Verisign) when you renew a certificate, it adds the renewal
period to the end of your current expiration period, but is valid from the
date you renew! As soon as you get the new certificate, you should be
able to use it. You don't need to wait for the old one to expire to do
the swap.
Please respond to users@httpd.apache.org
To: users@httpd.apache.org
cc: (bcc: Dan Mitton/YD/RWDOE)
Subject: Re: [users@httpd] Re: adding multiple SSLCACertificateFile
in vhost.conf
LSN: Not Relevant
User Filed as: Not a Record
saibaba Duggirala wrote:
> yes, more than one SSL enabled
> servername on a single IP address, single NIC
>
> The cureent certificate is expiring in couple of months so we want to
> seamleesly support the current one until it expires along with the new
> one
>
>
as far as I am aware SSL certs cannot be combined on a single IP, you
need to either use 2 NICs or use IP aliasing to bind 2 IP addresses to a
single NIC, and then in your vhost conf you can set up the certs one
each per IP, here's a short article:
http://www-128.ibm.com/developerworks/web/library/wa-multissl.html#resources
matt
> */matt farey <ma...@gmail.com>/* wrote:
>
>
>
> saibaba Duggirala wrote:
> > hi,
> > can anyone please let me know what is the procedure to add
multiple
> > SSLCACertificateFile in vhost.conf in apache
> >
> > So far we have been using only one file, shown below in vhost.conf
> > SSLCACertificateFile conf/ssl/nsm_ca1.cr
> >
> > We would like to use another root certificate along with the
> above one
> > , so is it as simple as adding another line like above
> > SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is
there
> > something else that I should be doing
> >
> >
> > Thanks,
> > saibaba
> >
> > Get your own web address.
> >
> > Have a HUGE year through Yahoo! Small Business.
> >
>
>
> depends on your setup, are you trying to host more than one SSL
> enabled
> servername on a single IP address, single NIC, or what?
>
>
> --
> Matthew Farey
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> Sucker-punch spam
> <
http://us.rd.yahoo.com/evt=49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html
>
> with award-winning protection.
> Try the free Yahoo! Mail Beta.
> <
http://us.rd.yahoo.com/evt=49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by matt farey <ma...@gmail.com>.
saibaba Duggirala wrote:
> yes, more than one SSL enabled
> servername on a single IP address, single NIC
>
> The cureent certificate is expiring in couple of months so we want to
> seamleesly support the current one until it expires along with the new
> one
>
>
as far as I am aware SSL certs cannot be combined on a single IP, you
need to either use 2 NICs or use IP aliasing to bind 2 IP addresses to a
single NIC, and then in your vhost conf you can set up the certs one
each per IP, here's a short article:
http://www-128.ibm.com/developerworks/web/library/wa-multissl.html#resources
matt
> */matt farey <ma...@gmail.com>/* wrote:
>
>
>
> saibaba Duggirala wrote:
> > hi,
> > can anyone please let me know what is the procedure to add multiple
> > SSLCACertificateFile in vhost.conf in apache
> >
> > So far we have been using only one file, shown below in vhost.conf
> > SSLCACertificateFile conf/ssl/nsm_ca1.cr
> >
> > We would like to use another root certificate along with the
> above one
> > , so is it as simple as adding another line like above
> > SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is there
> > something else that I should be doing
> >
> >
> > Thanks,
> > saibaba
> >
> > Get your own web address.
> >
> > Have a HUGE year through Yahoo! Small Business.
> >
>
>
> depends on your setup, are you trying to host more than one SSL
> enabled
> servername on a single IP address, single NIC, or what?
>
>
> --
> Matthew Farey
>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
> Sucker-punch spam
> <http://us.rd.yahoo.com/evt=49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html>
> with award-winning protection.
> Try the free Yahoo! Mail Beta.
> <http://us.rd.yahoo.com/evt=49981/*http://advision.webevents.yahoo.com/mailbeta/features_spam.html>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by saibaba Duggirala <sa...@yahoo.com>.
yes, more than one SSL enabled
servername on a single IP address, single NIC
The cureent certificate is expiring in couple of months so we want to seamleesly support the current one until it expires along with the new one
matt farey <ma...@gmail.com> wrote:
saibaba Duggirala wrote:
> hi,
> can anyone please let me know what is the procedure to add multiple
> SSLCACertificateFile in vhost.conf in apache
>
> So far we have been using only one file, shown below in vhost.conf
> SSLCACertificateFile conf/ssl/nsm_ca1.cr
>
> We would like to use another root certificate along with the above one
> , so is it as simple as adding another line like above
> SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is there
> something else that I should be doing
>
>
> Thanks,
> saibaba
>
> Get your own web address.
>
> Have a HUGE year through Yahoo! Small Business.
>
depends on your setup, are you trying to host more than one SSL enabled
servername on a single IP address, single NIC, or what?
--
Matthew Farey
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------
Sucker-punch spam with award-winning protection.
Try the free Yahoo! Mail Beta.
Re: [users@httpd] Re: adding multiple SSLCACertificateFile in vhost.conf
Posted by matt farey <ma...@gmail.com>.
saibaba Duggirala wrote:
> hi,
> can anyone please let me know what is the procedure to add multiple
> SSLCACertificateFile in vhost.conf in apache
>
> So far we have been using only one file, shown below in vhost.conf
> SSLCACertificateFile conf/ssl/nsm_ca1.cr
>
> We would like to use another root certificate along with the above one
> , so is it as simple as adding another line like above
> SSLCACertificateFile conf/ssl/nsm_ca_2.cr in vhost file or is there
> something else that I should be doing
>
>
> Thanks,
> saibaba
>
> Get your own web address.
> <http://us.rd.yahoo.com/evt=49678/*http://smallbusiness.yahoo.com/domains/?p=BESTDEAL>
> Have a HUGE year through Yahoo! Small Business.
> <http://us.rd.yahoo.com/evt=49678/*http://smallbusiness.yahoo.com/domains/?p=BESTDEAL>
depends on your setup, are you trying to host more than one SSL enabled
servername on a single IP address, single NIC, or what?
--
Matthew Farey
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org