A better approach to security

[Ian G <iang AT cacert.org>]

On 20/09/10 4:45 PM, Markus Warg wrote:
> Hi Phil,
>
> you can only have one SSL host per IP, unless you use TLS-SNI with your
> Apache installation. This is no restriction of CAcert, but rather of the
> https protocol.

Also see:

https://wiki.cacert.org/VhostTaskForce has long notes.

https://wiki.cacert.org/CSRGenerator

The best bet is TLS-SNI.  To use that you probably have to hunt around 
for a verion of Linux and/or httpd that has it included.  It's not 
widespread as yet.

iang



> Am 18.09.2010 13:30, schrieb Philip Rhoades:
> > People,
> >
> > I have finally got back to this - I have followed this introduction:
> >
> > http://www.vanemery.com/Linux/Apache/apache-SSL.html
> >
> > and created these files (ie a self signed certificate):
> >
> > mars-server.crt
> > mars-server.csr
> > mars-server.key
> > my-ca.crt
> > my-ca.key
> > my-ca.srl
> >
> > and installed these:
> >
> > /etc/httpd/conf/ssl.crt/mars-server.crt
> > /etc/httpd/conf/ssl.crt/my-ca.crt
> > /etc/httpd/conf/ssl.key/mars-server.key
> >
> > and this seems to be working happily.  I have now created:
> >
> > CAcert_www.pricom.com.au.crt
> >
> > (I have a number of domains on the same IP) using the same csr as before.
> >
> > Can I simply replace:
> >
> >      /etc/httpd/conf/ssl.crt/mars-server.crt
> >
> > with:
> >
> >      CAcert_www.pricom.com.au.crt
> >
> > ?
> >
> > Thanks,
> >
> > Phil.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature