26 Jan 2009 hands   » (Master)

HTTPS VirtualHosts

Until a couple of weeks ago, I was under the impression that one could only have a single HTTPS site per IP address, but it seems I was wrong.

The procedure is described here on the CACert wiki.

In short, you need multiple SubjectAltName fields on your server's certificate, such that all the VirtualHost names that you want to work are either directly mentioned, or will match via wildcards.

The page above includes a link to a nice script that generates a key and CSR (Certificate Signing Request) ready to be pasted into CAcert's Server Certificate page.

Note: the CN is pretty much ignored by some browsers, so you'll want to put the machine's main name as one of the SubjectAltNames as well.

BTW if you get a warning like:

    [warn] _default_ VirtualHost overlap on port 443, the first has precedence

you probably need to add

    NameVirtualHost *:443

to your /etc/apache2/sites-enabled/ssl before the <VirtualHost *:443> line.

Of course, this glosses over the details of doing things like setting your name and address in the certificate, but since CAcert will strip all that out anyway, it only matters if you wanted to get it signed by someone else. Even so, this should get you started -- you can always edit those details into the csr script.

Syndicated 2008-12-08 19:26:23 from chezfil

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!