Koozali.org: home of the SME Server

Multiple SSL certificates

Offline ElFroggio

  • *
  • 262
  • +0/-0
Multiple SSL certificates
« on: March 18, 2015, 07:39:10 PM »
Hi,

I have a few domains on the same server. I want to have SSL for all of them. They are to be stored in:

  • ssl.crt
  • ssl.key
  • ssl.pem

Each one has its FQDN, except for:

Code: [Select]
/home/e-smith/ssl.crt/chain.pem
Which is located in the ssl.crt and not the ssl.pem

Does this mean that all certificates must come from the source (in my case rapidssl)? Or can I also use Comodos and then what happens to the chain.pem?

Additional info (that I forgot):

Code: [Select]
[root@ethelbert ~]# config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.crt/chain.pem            <<<<<<<<<<<<<<<
    CommonName=ethelbert.911networks.com
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/911networks.com.crt
    key=/home/e-smith/ssl.key/911networks.com.key
    status=enabled
[root@ethelbert ~]# grep SSLCertificate /etc/httpd/conf/httpd.conf
SSLCertificateChainFile /home/e-smith/ssl.crt/chain.pem
SSLCertificateFile /home/e-smith/ssl.crt/911networks.com.crt
SSLCertificateKeyFile /home/e-smith/ssl.key/911networks.com.key

Thanks

Syv
« Last Edit: March 18, 2015, 10:07:59 PM by ElFroggio »

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Multiple SSL certificates
« Reply #1 on: March 19, 2015, 12:59:17 AM »
Syv

You need to create a certificate with all the FQDN's in it.
If you add a domain then you need to get a new certificate which includes the additional & all existing domains.
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline ElFroggio

  • *
  • 262
  • +0/-0
Re: Multiple SSL certificates
« Reply #2 on: March 19, 2015, 02:02:20 AM »
Syv

You need to create a certificate with all the FQDN's in it.
If you add a domain then you need to get a new certificate which includes the additional & all existing domains.

Yes but what happens to "chain.pem"? This is the chain that links back to the root certificate of the issuer of the certificate. All the others are FQDN.

Thanks

/Syv

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Multiple SSL certificates [not supported]
« Reply #3 on: March 19, 2015, 04:14:31 PM »
Yes but what happens to "chain.pem"?

Nothing. You have one certificate, which either needs or doesn't need a chain.pem. You don't need more than one chain.pem, which seems to have been your question.

Note that it is possible in theory to have one cert per domain (and possible one chain per domain), but not all browsers support it, and there is currently no support in SME server configuration for it. Google for "Server Name Indication".
« Last Edit: March 19, 2015, 04:21:57 PM by CharlieBrady »

Offline ElFroggio

  • *
  • 262
  • +0/-0
Re: Multiple SSL certificates [not supported]
« Reply #4 on: March 19, 2015, 04:40:52 PM »
Nothing. You have one certificate, which either needs or doesn't need a chain.pem. You don't need more than one chain.pem, which seems to have been your question.

If I want to use another source, then I would need a another chain.pem.

Note that it is possible in theory to have one cert per domain (and possible one chain per domain), but not all browsers support it, and there is currently no support in SME server configuration for it. Google for "Server Name Indication".

Thanks for the help, that answers my question, I will stick with the same source.

/Syv

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Multiple SSL certificates [not supported]
« Reply #5 on: March 20, 2015, 01:16:56 AM »
If I want to use another source, then I would need a another chain.pem.

Not "another one" - meaning one more, but just (perhaps) a different one.

Offline ElFroggio

  • *
  • 262
  • +0/-0
Re: Multiple SSL certificates [not supported]
« Reply #6 on: March 20, 2015, 01:44:49 AM »
Not "another one" - meaning one more, but just (perhaps) a different one.

Sorry, what do you mean? I do not understand. The chain.pem has to be into the /home/e-smith/ssl.crt/ directory

or is there a way of specifying a new name for chain.pem?

Thanks

/Syv

Offline janet

  • *****
  • 4,812
  • +0/-0
Re: Multiple SSL certificates [not supported]
« Reply #7 on: March 20, 2015, 02:13:58 AM »
ElFroggio

I think Charlie means one source, not multiple sources
Please search before asking, an answer may already exist.
The Search & other links to useful information are at top of Forum.

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: Multiple SSL certificates [not supported]
« Reply #8 on: March 20, 2015, 04:11:46 AM »
or is there a way of specifying a new name for chain.pem?

I don't know why you would want to specify a new name. Just rename whichever chain file you upload to be called chain.pem.

But anyway, you can set the full path of the chain file via:

Code: [Select]
config setprop modSSL CertificateChainFile /path/to/your/chain.file
expand-template /etc/httpd/conf/httpd.conf
sv restart /service/httpd-e-smith