Monday, July 22, 2013

Multi Domain Certificates

Multi domain certificates allow you to specify one domain as primary and include several other domains as subject alternatives. This means that the csr and key will be generated for the first domain but the key and certificate can be used on multiple domains. A wildcard certificate only allows the certificate to be used on the same domain with different subdomains.

Companies that support multidomain certificates.


Friday, January 18, 2013

Site Navigation

Installing wildcard cert for new subdomain

Working with MultiDomain Certs

Installing wildcard cert for new subdomain

Depending on your version of apache and your method of install your files may live in different locations. By default in RH4 your apache configuration files will live in /etc/httpd/conf and /etc/http/conf.d.


1. Back Up your ssl.conf file.
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.`date +%F`
cp /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.working

2. Copy cert file into
cd /etc/tls/pki/certs
vi domain.crt

Copy the cert data into this file

3. Copy the key file from directory it was created in into the private keys directory
cp ~/.<domain>.key /etc/pki/tls/private/

4.Copy the cert intermediate chain into the cert directory
cd /etc/tls/pki/certs
vi <company-chain>.crt

Copy the intermediate chain cert to this file.

5. Add a listen directive to listen to the virtual hosts ip.

vi /etc/httpd/conf.d/ssl.conf.working

Listen <virtualip>:443

6. Add a new virtual host bucket to your ssl.conf

vi /etc/httpd/conf.d/ssl.conf.working

<VirtualHost <virtualip>:443>
DocumentRoot "/var/www/html/<domain>"
ServerName <domain>:443
SSLCertificateChainFile /etc/pki/tls/certs/<company-chain>.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCertificateFile /etc/pki/tls/certs/<domain>.crt
SSLCertificateKeyFile /etc/pki/tls/private/<domain>.key
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

7. Copy the working ssl.conf file over the current ssl file
cp /etc/httpd/conf.d/ssl.conf.working /etc/httpd/conf.d/ssl.conf

8. Restart the web server
service httpd restart

9. Rollback if errors occur
review error message
/etc/httpd/conf.d/ssl.conf.`date +%F` /etc/httpd/conf.d/ssl.conf

service httpd restart