3

I want to protect the login form of my blog application with an SSL certificate and I'd also like to have some subdomains set up for things like the Mint web stats package. Is this even possible using a non-wildcard certificate, e.g. the GoDaddy "Turbo" one that costs about $20? I don't really want to fork out for the cost of a wildcard certificate.

To be clear, the only place where I want to use SSL is within the main blog application and not on any of the subdomains. I think I read somewhere that you can't do this because if you're using SSL the Apache virtual hosts have to be configured to use IP addresses. I'd like to get a definitive answer on this.

Thanks.

John Topley
  • 2,175
  • 3
  • 16
  • 17

2 Answers2

6

The main limitation is that with one ip address you can have one ssl certificate.

Since you only want ssl on the blog then there's no problem with the setup you've proposed, just make it the only virtualhost listening on 443

# Virtualhosts on ports 80 and 443
NameVirtualHost *:80
NameVirtualHost *:443

# rewrite blog traffic to https
<VirtualHost *:80>
        ServerName blog.example.com
        DocumentRoot /var/www/blog
        RewriteEngine On 
        RewriteRule ^(.*)$ https://blog.example.com/$1 [R,L]
</VirtualHost>

<VirtualHost *:443>
        SSLEngine on
        SSLCertificateFile /etc/apache2/ssl/server.crt
        SSLCertificateKeyFile /etc/apache2/ssl/server.key    
        ServerName blog.example.com
        DocumentRoot /var/www/blog
</VirtualHost>

<VirtualHost *:80>
        ServerName othersite.example.com
        DocumentRoot /var/www/other/
</VirtualHost>

The slight limitation here, is that the blog will catch all https traffic here, regardless of hostname, so https://othersite.example.com will point to the blog, and generate errors because the name doesn't match the certificate, but there's no way around that with one ip address.

theotherreceive
  • 8,365
  • 1
  • 31
  • 44
  • If you can get a second IP address for the subdomains you even get around that one little problem, and it doesn't need to have a cert at all, because there is nothing to secure. – Catherine MacInnes Sep 06 '09 at 13:55
0

Last time I setup a client with SSL we chose the DigiCert Unified Communications Certificate. They needed Exchange and Sharepoint servers online with SSL that were running on two servers. So we were able to register each server with both an external and internal names. The nice thing I liked about the DigiCert UCC was that we could quickly and easily make changes to the certificate (i.e. add more names to the certificate)

Duey
  • 147
  • 3
  • +1 The DigiCert Unified Communications certificate isn't just for exchange servers--and is an ideal cert to use in a situation like this. It utilizes the Subject Alternate Name (SAN) field to specify multiple host names associated with the single certificate. You get up to four names for the base price (break-even cost is met with the third name over individual certs for each host name). Additional names can be added at any time for low incremental cost, and you can use the cert on multiple hosts without additional license fees (most CAs require you to license a cert separately on each host). – jnaab Sep 11 '09 at 06:06