[opensuse] Multiple certificates for a single apache SSL vhost?
Hello everybody, is it possible to install multiple SSL certificates for a single apache vhost? I am not talking about multiple vhosts on a single IP address. Instead, I'd like to use multiple certificates for a single vhost. Background: My root certificate is about to expire. Therefore, I'd like to create a new CA. I'd like the server to offer the old certificate (signed by the old CA) to the clients that don't have the new root certificate yet. The clients who have (possibly only) the new root certificate should get the certificate signed by the new CA. Is this possible? If it is not possible: what would be the usual way to switch a server to a new CA? -- Josef Wolf jw@raven.inka.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 05/03/2014 06:50 PM, Josef Wolf wrote:
is it possible to install multiple SSL certificates for a single apache vhost?
No, you can only use 1 SSL cert per listening port per IP. It's used for the initial SSL handshake between the client, i.e., the client couldn't choose which certificate to use. Therefore, you can either use a different port or IP, or just use the new certificate. What's the point with using a different root CA? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sa, Mai 03, 2014 at 09:26:47 +0200, Bernhard Voelker wrote:
On 05/03/2014 06:50 PM, Josef Wolf wrote:
is it possible to install multiple SSL certificates for a single apache vhost? No, you can only use 1 SSL cert per listening port per IP.
That's very unfortunate.
It's used for the initial SSL handshake between the client, i.e., the client couldn't choose which certificate to use.
Why not sending both?
What's the point with using a different root CA?
The old one is signed with an algorithm which is no longer considered secure. So what would be the usual procedure to replace a CA? -- Josef Wolf jw@raven.inka.de -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 03/05/14 17:43, Josef Wolf escribió:
The old one is signed with an algorithm which is no longer considered secure.
So what would be the usual procedure to replace a CA?
- You deploy the CA certificate first, usually with weeks, months or years in advance, depending your needs. - You issue certificates with this new CA. - You revoke the old certificates. -- Cristian "I don't know the key to success, but the key to failure is trying to please everybody." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Bernhard Voelker -
Cristian Rodríguez -
Josef Wolf