Topic: Multiple SSL certificates

[ElFroggio]

Hi,

I have a few domains on the same server. I want to have SSL for all of them. They are to be stored in:

• ssl.crt
• ssl.key
• ssl.pem

Each one has its FQDN, except for:

Code: [Select]

/home/e-smith/ssl.crt/chain.pem
Which is located in the ssl.crt and not the ssl.pem

Does this mean that all certificates must come from the source (in my case rapidssl)? Or can I also use Comodos and then what happens to the chain.pem?

Additional info (that I forgot):

Code: [Select]

[root@ethelbert ~]# config show modSSL
modSSL=service
    CertificateChainFile=/home/e-smith/ssl.crt/chain.pem            <<<<<<<<<<<<<<<
    CommonName=ethelbert.911networks.com
    TCPPort=443
    access=public
    crt=/home/e-smith/ssl.crt/911networks.com.crt
    key=/home/e-smith/ssl.key/911networks.com.key
    status=enabled
[root@ethelbert ~]# grep SSLCertificate /etc/httpd/conf/httpd.conf
SSLCertificateChainFile /home/e-smith/ssl.crt/chain.pem
SSLCertificateFile /home/e-smith/ssl.crt/911networks.com.crt
SSLCertificateKeyFile /home/e-smith/ssl.key/911networks.com.key

Thanks

Syv

[janet]

Syv

You need to create a certificate with all the FQDN's in it.
If you add a domain then you need to get a new certificate which includes the additional & all existing domains.

[ElFroggio]

Syv

You need to create a certificate with all the FQDN's in it.
If you add a domain then you need to get a new certificate which includes the additional & all existing domains.

Yes but what happens to "chain.pem"? This is the chain that links back to the root certificate of the issuer of the certificate. All the others are FQDN.

Thanks

/Syv

[CharlieBrady]

Yes but what happens to "chain.pem"?

Nothing. You have one certificate, which either needs or doesn't need a chain.pem. You don't need more than one chain.pem, which seems to have been your question.

Note that it is possible in theory to have one cert per domain (and possible one chain per domain), but not all browsers support it, and there is currently no support in SME server configuration for it. Google for "Server Name Indication".

[ElFroggio]

Nothing. You have one certificate, which either needs or doesn't need a chain.pem. You don't need more than one chain.pem, which seems to have been your question.

If I want to use another source, then I would need a another chain.pem.

Note that it is possible in theory to have one cert per domain (and possible one chain per domain), but not all browsers support it, and there is currently no support in SME server configuration for it. Google for "Server Name Indication".

Thanks for the help, that answers my question, I will stick with the same source.

/Syv

[CharlieBrady]

If I want to use another source, then I would need a another chain.pem.

Not "another one" - meaning one more, but just (perhaps) a different one.

[ElFroggio]

Not "another one" - meaning one more, but just (perhaps) a different one.

Sorry, what do you mean? I do not understand. The chain.pem has to be into the /home/e-smith/ssl.crt/ directory

or is there a way of specifying a new name for chain.pem?

Thanks

/Syv

[janet]

ElFroggio

I think Charlie means one source, not multiple sources

[CharlieBrady]

or is there a way of specifying a new name for chain.pem?

I don't know why you would want to specify a new name. Just rename whichever chain file you upload to be called chain.pem.

But anyway, you can set the full path of the chain file via:

Code: [Select]

config setprop modSSL CertificateChainFile /path/to/your/chain.file
expand-template /etc/httpd/conf/httpd.conf
sv restart /service/httpd-e-smith