首页 文章

为Apache SSL使用多个CA证书

提问于
浏览
-1

我有两个虚拟主机,并使用两个证书 . 虽然未在以下httpd.conf文件中指出,但我使用* .example.com以及* .sites.example.com,因此需要两个证书 . 访问https://bla.sites.example.com/时,浏览器显示以下警告:

bla.sites.example.com uses an invalid security certificate.
The certificate is only valid for the following names: *.example.com, example.com
(Error code: ssl_error_bad_cert_domain)

如果我删除了第一个重定向到www.example.com的VirtualHost,我就不会收到警告 .

为什么会这样,我应该如何为不同的VirtualHosts使用多个CA证书?

<VirtualHost *:443>
    ServerName example.com
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com and *.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    RewriteEngine on
    RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</VirtualHost>

<VirtualHost *:443>
    ServerName example.com
    ServerAlias *.sites.example.com
    ErrorDocument 404 /error-404.html
    DocumentRoot /var/www/example/html_sites
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com, sites.example.com and *.sites.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    <Directory "/var/www/example/html_sites">
        allow from all
        Options +Indexes
    </Directory>
</VirtualHost>

请注意,我在/etc/httpd/conf.d/ssl.conf中有以下设置:

#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCACertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
apache ssl https certificate ca

1 回答

  • 0

    您的VHOST设置不正确 . 你们两个都指向 ServerName example.com

    它们都应该具有不同的特定 ServerName 和不同的文档根 . 然后apache将知道将请求发送到正确的vhost的位置,您将不会收到该错误 .

    You can see more configuration help here. Multiple Certs using SNI

    由于它们是两种不同的证书,因此您的虚拟主机看起来应该是这样的 .

    <VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example/html_sites
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com and *.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    <Directory "/var/www/example/html_sites">
        ErrorDocument 404 /error-404.html
        allow from all
        Options +Indexes
        RewriteEngine on
        RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName bla.sites.example.com
    ServerAlias *.sites.example.com
    DocumentRoot /var/www/example2/html_sites
    SSLEngine on
    SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
    SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
    #Following certificate is good for example.com, sites.example.com and *.sites.example.com
    SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
    SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
    <Directory "/var/www/example2/html_sites">
        allow from all
        Options +Indexes
    </Directory>
</VirtualHost>

    还要记住在进行更改时重新启动apache .

    回复于

相关问题