[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSL certs

>-----Original Message-----
>From: Chris Francy [mailto:bluewizard83-lah5phee@yahoo.com]
>Sent: Wednesday, October 26, 2005 12:59 PM
>To: 'John Goerzen', debian-isp@lists.debian.org
>Subject: Re: SSL certs
>> ... 
>> My questions are:
>> 1. Who is a reputable SSL certificate authority, that is recognized
>>    automatically by all modern browsers?  
>I have been using geotrust.com and have had no problems with them.
>For just serving pages through https I would guess their 'quickssl'
>will probably be enough.
>> 2. We will have several different hosts, and thus different
>> hostnames,
>>    running secure sites.  Do we need to purchase a certificate for
>>    each, or can we purchase a single certificate and use it to sign
>>    the certs for the different hosts?
>Unless you pay big bucks you usually don't get a cert that allowes you
>to sign other certs.  Usually you need to purchase a certificate per

The certs that are "Wildcard" certs (.domain.tld) are for as many sites on a "Single Server", not for multiple servers. I used geocert for my last one and it's not the cheapest but worked fine.


>> 3. Are there any resources out there on using commercial certs with
>>    Debian?  Any CAs that cater specifically to Debian?
>I am not aware of anything.  Not sure what web server you are using but
>most things in the apache docs apply directly.
>Since will have multiple names/certificates watch out for this.  You
>can only have one certificate per ip address+port.  You will not be
>able to use certificates with name-based virtual hosts.  Name-based
>virtual hosts cannot work because the SSL negotiation happesn before
>the web server knows what the name is.  This gave me a headache for a
>day before I re-read the docs and figured this out.
>That is my $0.02
>To UNSUBSCRIBE, email to debian-isp-REQUEST@lists.debian.org
>with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: