为 Apache SSL 使用多个 CA 证书
Using multiple CA certificates for Apache SSL
我有两个虚拟主机,使用两个证书。虽然以下 httpd.conf 文件未指明,但我正在使用 *.example.com 以及 *.sites.example.com,因此需要这两个证书。访问https://bla.sites.example.com/时,浏览器显示如下警告:
bla.sites.example.com uses an invalid security certificate.
The certificate is only valid for the following names: *.example.com, example.com
(Error code: ssl_error_bad_cert_domain)
如果我删除重定向到 www.example.com 的第一个 VirtualHost,我不会收到警告。
这是为什么,我应该如何为不同的 VirtualHosts 使用多个 CA 证书?
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
RewriteEngine on
RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias *.sites.example.com
ErrorDocument 404 /error-404.html
DocumentRoot /var/www/example/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com, sites.example.com and *.sites.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example/html_sites">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
注意我在/etc/httpd/conf.d/ssl.conf中有如下设置:
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCACertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
您的 VHOST 设置不正确。你们都指向 ServerName example.com
它们都应该具有不同的特定 ServerName 和不同的文档根目录。然后 apache 将知道将请求发送到正确的虚拟主机的位置,并且您不会收到该错误。
您可以在此处查看更多配置帮助。 Multiple Certs using SNI
因为它们是两个不同的证书,您的虚拟主机应该看起来像这样。
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example/html_sites">
ErrorDocument 404 /error-404.html
allow from all
Options +Indexes
RewriteEngine on
RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName bla.sites.example.com
ServerAlias *.sites.example.com
DocumentRoot /var/www/example2/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com, sites.example.com and *.sites.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example2/html_sites">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
还要记得在进行更改时重新启动 apache。
我有两个虚拟主机,使用两个证书。虽然以下 httpd.conf 文件未指明,但我正在使用 *.example.com 以及 *.sites.example.com,因此需要这两个证书。访问https://bla.sites.example.com/时,浏览器显示如下警告:
bla.sites.example.com uses an invalid security certificate.
The certificate is only valid for the following names: *.example.com, example.com
(Error code: ssl_error_bad_cert_domain)
如果我删除重定向到 www.example.com 的第一个 VirtualHost,我不会收到警告。
这是为什么,我应该如何为不同的 VirtualHosts 使用多个 CA 证书?
<VirtualHost *:443>
ServerName example.com
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
RewriteEngine on
RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</VirtualHost>
<VirtualHost *:443>
ServerName example.com
ServerAlias *.sites.example.com
ErrorDocument 404 /error-404.html
DocumentRoot /var/www/example/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com, sites.example.com and *.sites.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example/html_sites">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
注意我在/etc/httpd/conf.d/ssl.conf中有如下设置:
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCACertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
您的 VHOST 设置不正确。你们都指向 ServerName example.com
它们都应该具有不同的特定 ServerName 和不同的文档根目录。然后 apache 将知道将请求发送到正确的虚拟主机的位置,并且您不会收到该错误。
您可以在此处查看更多配置帮助。 Multiple Certs using SNI
因为它们是两个不同的证书,您的虚拟主机应该看起来像这样。
<VirtualHost *:443>
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/example/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com and *.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example/html_sites">
ErrorDocument 404 /error-404.html
allow from all
Options +Indexes
RewriteEngine on
RewriteRule .* https://www.example.com%{REQUEST_URI} [NE,R,L]
</Directory>
</VirtualHost>
<VirtualHost *:443>
ServerName bla.sites.example.com
ServerAlias *.sites.example.com
DocumentRoot /var/www/example2/html_sites
SSLEngine on
SSLCipherSuite SSLv3:TLSv1:+HIGH:!SSLv2:!MD5:!MEDIUM:!LOW:!EXP:!ADH:!eNULL:!aNULL
SSLCertificateKeyFile /etc/pki/tls/private/example_key.pem
#Following certificate is good for example.com, sites.example.com and *.sites.example.com
SSLCertificateFile /etc/pki/tls/certs/example_startssl_sites_class2.crt
SSLCertificateChainFile /etc/pki/tls/certs/sub.class2.server.ca.pem
<Directory "/var/www/example2/html_sites">
allow from all
Options +Indexes
</Directory>
</VirtualHost>
还要记得在进行更改时重新启动 apache。