Topic
5 replies Latest Post - ‏2012-05-25T20:29:15Z by SystemAdmin
SystemAdmin
SystemAdmin
3908 Posts
ACCEPTED ANSWER

Pinned topic Install Two Digital Certificate on same machine by ports 443 and 444

‏2012-05-22T03:59:47Z |
I have one http server with a Verisign digital certificate. This certificate listening on port 443 and it works fine. Now, I want to install a second digital certificate, which listen on port 444.
Put the 0.0.0.0:443 with key store and works well.
Put the 0.0.0.0:444 with the keystore and works well.
However, when accessed by browser, the certificates are mixed, ie if I put:
mysite1.com: 443, works well
But if I put:
mysite2.com: 444, works well, but the certificate is the same as the first site.
Any idea to help me solve this configuration?

Thank you very much.
Updated on 2012-05-25T20:29:15Z at 2012-05-25T20:29:15Z by SystemAdmin
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: Install Two Digital Certificate on same machine by ports 443 and 444

    ‏2012-05-22T13:42:31Z  in response to SystemAdmin
    You need two <virtualhosts>, *:443 and *:444.

    You then need either 2 KDB files or a KDB file with two personal certificates. Then identify the certificate you want to use in each virtualhost with "SSLServerCert".

    (if you use two KDB files, the default cert can just be used in each vhost and no SSLServerCert is needed)
    • SystemAdmin
      SystemAdmin
      3908 Posts
      ACCEPTED ANSWER

      Re: Install Two Digital Certificate on same machine by ports 443 and 444

      ‏2012-05-24T01:52:32Z  in response to SystemAdmin
      I have in my httpd.conf:

      Listen 0.0.0.0:443
      SSLEnable
      KeyFile "D:\IBM\CERTIF\midkey.kdb"
      ## SSLv3 128 bit Ciphers
      SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
      SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

      ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
      SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

      ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
      SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

      ## Triple DES 168 bit Ciphers
      ## These can still be used, but only if the client does
      ## not support any of the ciphers listed above.
      SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

      ## The following block enables SSLv2. Excluding it in the presence of
      ## the SSLv3 configuration above disables SSLv2 support.

      ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
      #SSLCipherSpec SSL_RC4_128_WITH_MD5
      #SSLCipherSpec SSL_RC4_128_WITH_SHA
      #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

      and you suggest?

      Listen *:443
      <Virtual Host mid.com:443>
      SSLEnable
      KeyFile "D:\IBM\CERT\midkey.kdb"
      ## SSLv3 128 bit Ciphers
      SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
      SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

      ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
      SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

      ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
      SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

      ## Triple DES 168 bit Ciphers
      ## These can still be used, but only if the client does
      ## not support any of the ciphers listed above.
      SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

      ## The following block enables SSLv2. Excluding it in the presence of
      ## the SSLv3 configuration above disables SSLv2 support.

      ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
      #SSLCipherSpec SSL_RC4_128_WITH_MD5
      #SSLCipherSpec SSL_RC4_128_WITH_SHA
      #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
      </VirtualHost>

      Listen *:444
      <Virtual Host ceo.com:443>
      SSLEnable
      KeyFile "D:\IBM\CERT\ceokey.kdb"
      ## SSLv3 128 bit Ciphers
      SSLCipherSpec SSL_RSA_WITH_RC4_128_MD5
      SSLCipherSpec SSL_RSA_WITH_RC4_128_SHA

      ## FIPS approved SSLV3 and TLSv1 128 bit AES Cipher
      SSLCipherSpec TLS_RSA_WITH_AES_128_CBC_SHA

      ## FIPS approved SSLV3 and TLSv1 256 bit AES Cipher
      SSLCipherSpec TLS_RSA_WITH_AES_256_CBC_SHA

      ## Triple DES 168 bit Ciphers
      ## These can still be used, but only if the client does
      ## not support any of the ciphers listed above.
      SSLCipherSpec SSL_RSA_WITH_3DES_EDE_CBC_SHA

      ## The following block enables SSLv2. Excluding it in the presence of
      ## the SSLv3 configuration above disables SSLv2 support.

      ## Uncomment to enable SSLv2 (with 128 bit Ciphers)
      #SSLCipherSpec SSL_RC4_128_WITH_MD5
      #SSLCipherSpec SSL_RC4_128_WITH_SHA
      #SSLCipherSpec SSL_DES_192_EDE3_CBC_WITH_MD5
      LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
      </VirtualHost>
      • SystemAdmin
        SystemAdmin
        3908 Posts
        ACCEPTED ANSWER

        Re: Install Two Digital Certificate on same machine by ports 443 and 444

        ‏2012-05-24T12:03:45Z  in response to SystemAdmin
        • don't configure SSL outside of the virtualhosts at all, except for loadmodule
          • this will mean a request that matches no VHOST is http.
        • remove loadmodule from virtual hosts
        • use *:443 and *:444 instead of hostnames in <virtualhost
        • fix the port in 2nd virtualhost (typo)
        • SystemAdmin
          SystemAdmin
          3908 Posts
          ACCEPTED ANSWER

          Re: Install Two Digital Certificate on same machine by ports 443 and 444

          ‏2012-05-25T20:28:21Z  in response to SystemAdmin
          I solve with this VirtualHost:

          Listen 443
          Listen 444
          NameVirtualHost 172.18.22.41:443
          NameVirtualHost 172.18.22.41:444

          <VirtualHost 172.18.22.41:443>
          DocumentRoot /IBM/HttpServer/htdocs/en_US
          SSLEnable
          Keyfile "D:/qa2/e24bey.kdb"
          </VirtualHost>
          LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

          <VirtualHost 172.18.22.41:444>
          DocumentRoot /IBM/HttpServer/htdocs/en_US
          SSLEnable
          Keyfile "D:/certificadoqa/movil.kdb"
          </VirtualHost>
          LoadModule ibm_ssl_module modules/mod_ibm_ssl.so

          This works fine.

          Thank´s a lot.
  • SystemAdmin
    SystemAdmin
    3908 Posts
    ACCEPTED ANSWER

    Re: Install Two Digital Certificate on same machine by ports 443 and 444

    ‏2012-05-25T20:29:15Z  in response to SystemAdmin
    I solve this question.