[Cialug] SSL & private key ?

Barry Von Ahsen barry at vonahsen.com
Tue Jun 5 13:26:40 CDT 2007 

yes, each https site will have it's own key pair/crt, then you specify 
them in your apache config

so in your setup, you'd have
/home/site1/www.site1.key (or www.site1.pem)
/home/site1/www.site1.csr
/home/site1/www.site1.crt
/home/site2/www.site2.key
/home/site2/www.site2.csr
/home/site2/www.site2.crt

then in apache:
<VirtualHost 1.2.3.4:443>
	Servername www.site1.com
	SSLCertificateFile /home/site1/www.site1.crt
	SSLCertificateKeyFile /home/site1/www.site1.key
</VirtualHost>
<VirtualHost 1.2.3.5:443>
	Servername
	SSLCertificateFile /home/site2/www.site2.crt
	SSLCertificateKeyFile /home/site2/www.site2.key
</VirtualHost>

as Josh said, I would keep them out of the user's hands as much as 
possible, either /etc/ssl/apache2 or /etc/httpd/conf/ssl.*

-barry


albus wrote:
> I have the virual hosts all using different IP #'s already just for that 
> reason.
> 
> So do I create the private key in the other users home www dir then as 
> root again?
> 
> Or does someone have a link or howto I can read on?
> 
> 
> ----- Original Message ----- From: "Josh More" 
> <morej at alliancetechnologies.net>
> To: "Central Iowa Linux Group" <cialug at cialug.org>
> Sent: Tuesday, June 05, 2007 11:49 AM
> Subject: Re: [Cialug] SSL & private key ?
> 
> 
>> Apache uses SSL private keys and certs as paired for each virtual host.
>> If I understand your question, you are wanting to know whether to use
>> the same private key for all virtual hosts.  The answer is NO.
>> You need to create a unique private key and cert for each virtual host
>> that you wish to protect
>>
>> Also, please bear in mind that HTTPS traffic is encrypted, so you will
>> need to segment your virtual hosts at the network level.  This means
>> using a unique IP or port number for each host you run.  Otherwise, the
>> server doesn't know how to decrypt the packet to get the name of the
>> virtual host.
>>
>> I hope this answers your question.
>>
>>
>>
>>
>> -Josh More, RHCE, CISSP, NCLP, GIAC morej at alliancetechnologies.net 
>> 515-245-7701
>>
>>
>>
>>>>> "albus" <albus at iowaconnect.com> 06/05/07 11:21 AM >>> 
>> To start off heres the background
>>
>> 1. I created a private key as root in the users dir.
>> 2. I generated the csr in the users dir.
>> 3. I have the cert installed in the users dir and https all works for
>> the site.
>>
>> Now the question.
>>
>> When I go to do another sites SSL cert. does the server
>> use the same private key for all requests?
>>
>> Info:
>> Apache server with openssl and mod_ssl.
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>> _______________________________________________
>> Cialug mailing list
>> Cialug at cialug.org
>> http://cialug.org/mailman/listinfo/cialug
>>
>>
> 
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug

More information about the Cialug mailing list