Topic
  • 5 replies
  • Latest Post - ‏2012-05-25T20:29:15Z by SystemAdmin
SystemAdmin
SystemAdmin
3903 Posts

Pinned topic Install Two Digital Certificate on same machine by ports 443 and 444

‏2012-05-22T03:59:47Z |
I have one http server with a Verisign digital certificate. This certificate listening on port 443 and it works fine. Now, I want to install a second digital certificate, which listen on port 444.
Put the 0.0.0.0:443 with key store and works well.
Put the 0.0.0.0:444 with the keystore and works well.
However, when accessed by browser, the certificates are mixed, ie if I put:
mysite1.com: 443, works well
But if I put:
mysite2.com: 444, works well, but the certificate is the same as the first site.
Any idea to help me solve this configuration?

Thank you very much.
Updated on 2012-05-25T20:29:15Z at 2012-05-25T20:29:15Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: Install Two Digital Certificate on same machine by ports 443 and 444

    ‏2012-05-22T13:42:31Z  
    You need two <virtualhosts>, *:443 and *:444.

    You then need either 2 KDB files or a KDB file with two personal certificates. Then identify the certificate you want to use in each virtualhost with "SSLServerCert".

    (if you use two KDB files, the default cert can just be used in each vhost and no SSLServerCert is needed)
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: Install Two Digital Certificate on same machine by ports 443 and 444

    ‏2012-05-24T01:52:32Z  
    You need two <virtualhosts>, *:443 and *:444.

    You then need either 2 KDB files or a KDB file with two personal certificates. Then identify the certificate you want to use in each virtualhost with "SSLServerCert".

    (if you use two KDB files, the default cert can just be used in each vhost and no SSLServerCert is needed)
    I have in my httpd.conf:

    Listen 0.0.0.0:443
    SSLEnable
    KeyFile "D:\IBM\CERTIF\midkey.kdb"
    ## SSLv3 128 bit Ciphers
    SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
    SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

    ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

    ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

    ## Triple DES 168 bit Ciphers
    ## These can still be used, but only if the client does
    ## not support any of the ciphers listed above.
    SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

    ## The following block enables SSLv2. Excluding it in the presence of
    ## the SSLv3 configuration above disables SSLv2 support.

    ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
    #SSLCipherSpec SSL_RC4_128_WITH_MD5
    #SSLCipherSpec SSL_RC4_128_WITH_SHA
    #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

    and you suggest?

    Listen *:443
    <Virtual Host mid.com:443>
    SSLEnable
    KeyFile "D:\IBM\CERT\midkey.kdb"
    ## SSLv3 128 bit Ciphers
    SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
    SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

    ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

    ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

    ## Triple DES 168 bit Ciphers
    ## These can still be used, but only if the client does
    ## not support any of the ciphers listed above.
    SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

    ## The following block enables SSLv2. Excluding it in the presence of
    ## the SSLv3 configuration above disables SSLv2 support.

    ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
    #SSLCipherSpec SSL_RC4_128_WITH_MD5
    #SSLCipherSpec SSL_RC4_128_WITH_SHA
    #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    </VirtualHost>

    Listen *:444
    <Virtual Host ceo.com:443>
    SSLEnable
    KeyFile "D:\IBM\CERT\ceokey.kdb"
    ## SSLv3 128 bit Ciphers
    SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
    SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

    ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

    ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

    ## Triple DES 168 bit Ciphers
    ## These can still be used, but only if the client does
    ## not support any of the ciphers listed above.
    SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

    ## The following block enables SSLv2. Excluding it in the presence of
    ## the SSLv3 configuration above disables SSLv2 support.

    ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
    #SSLCipherSpec SSL_RC4_128_WITH_MD5
    #SSLCipherSpec SSL_RC4_128_WITH_SHA
    #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    </VirtualHost>
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: Install Two Digital Certificate on same machine by ports 443 and 444

    ‏2012-05-24T12:03:45Z  
    I have in my httpd.conf:

    Listen 0.0.0.0:443
    SSLEnable
    KeyFile "D:\IBM\CERTIF\midkey.kdb"
    ## SSLv3 128 bit Ciphers
    SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
    SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

    ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

    ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

    ## Triple DES 168 bit Ciphers
    ## These can still be used, but only if the client does
    ## not support any of the ciphers listed above.
    SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

    ## The following block enables SSLv2. Excluding it in the presence of
    ## the SSLv3 configuration above disables SSLv2 support.

    ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
    #SSLCipherSpec SSL_RC4_128_WITH_MD5
    #SSLCipherSpec SSL_RC4_128_WITH_SHA
    #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

    and you suggest?

    Listen *:443
    <Virtual Host mid.com:443>
    SSLEnable
    KeyFile "D:\IBM\CERT\midkey.kdb"
    ## SSLv3 128 bit Ciphers
    SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
    SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

    ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

    ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

    ## Triple DES 168 bit Ciphers
    ## These can still be used, but only if the client does
    ## not support any of the ciphers listed above.
    SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

    ## The following block enables SSLv2. Excluding it in the presence of
    ## the SSLv3 configuration above disables SSLv2 support.

    ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
    #SSLCipherSpec SSL_RC4_128_WITH_MD5
    #SSLCipherSpec SSL_RC4_128_WITH_SHA
    #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    </VirtualHost>

    Listen *:444
    <Virtual Host ceo.com:443>
    SSLEnable
    KeyFile "D:\IBM\CERT\ceokey.kdb"
    ## SSLv3 128 bit Ciphers
    SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
    SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

    ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

    ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
    SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

    ## Triple DES 168 bit Ciphers
    ## These can still be used, but only if the client does
    ## not support any of the ciphers listed above.
    SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

    ## The following block enables SSLv2. Excluding it in the presence of
    ## the SSLv3 configuration above disables SSLv2 support.

    ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
    #SSLCipherSpec SSL_RC4_128_WITH_MD5
    #SSLCipherSpec SSL_RC4_128_WITH_SHA
    #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
    </VirtualHost>
    • don't configure SSL outside of the virtualhosts at all, except for loadmodule
      • this will mean a request that matches no VHOST is http.
    • remove loadmodule from virtual hosts
    • use *:443 and *:444 instead of hostnames in <virtualhost
    • fix the port in 2nd virtualhost (typo)
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: Install Two Digital Certificate on same machine by ports 443 and 444

    ‏2012-05-25T20:28:21Z  
    • don't configure SSL outside of the virtualhosts at all, except for loadmodule
      • this will mean a request that matches no VHOST is http.
    • remove loadmodule from virtual hosts
    • use *:443 and *:444 instead of hostnames in <virtualhost
    • fix the port in 2nd virtualhost (typo)
    I solve with this VirtualHost:

    Listen 443
    Listen 444
    NameVirtualHost 172.18.22.41:443
    NameVirtualHost 172.18.22.41:444

    <VirtualHost 172.18.22.41:443>
    DocumentRoot /IBM/HttpServer/htdocs/en_US
    SSLEnable
    Keyfile "D:/qa2/e24bey.kdb"
    </VirtualHost>
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

    <VirtualHost 172.18.22.41:444>
    DocumentRoot /IBM/HttpServer/htdocs/en_US
    SSLEnable
    Keyfile "D:/certificadoqa/movil.kdb"
    </VirtualHost>
    LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

    This works fine.

    Thank´s a lot.
  • SystemAdmin
    SystemAdmin
    3903 Posts

    Re: Install Two Digital Certificate on same machine by ports 443 and 444

    ‏2012-05-25T20:29:15Z  
    I solve this question.