[Talk] moving ssl site to new box/IP
Larry Kagan
talk@flux.org
Tue, 14 Nov 2006 13:02:09 -0500
Also on this note. I've always wondered why it was required to have a
separate IP for each domain that needs ssl instead of using name-based
virtual hosting.
I've never seen this documented anywhere but I assume it's because name
based virtual hosting is based on HTTP 1.1 where a 'host' header is sent
to the server. If the header is encrypted before transmission and certs
are different for each virtual host, there is no way the server process
knows which host to ask for the cert to decrypt it .... so it could know
which host to send the request to. Kind of a catch 22.
Am I right about this? Any thoughts?
Larry
On Tue, 2006-11-14 at 11:29 -0500, Carl C. wrote:
> ----- Original Message -----
> > From: Larry Kagan
> >
> > I'm moving an ssl web site to another machine with another IP. Do I
> > need to bother getting another cert? I can't think of a reason why I
> > would but maybe one of you can.
>
> Assuming apache and openssl, check in your httpd.conf file, you will
> see you use:
>
> SSLCertificateFile /path/to/file/something.crt
> SSLCertificateKeyFile /path/to/file/something.key
>
> something.crt <= crt file
> something.key <= key file used to create the crt file.
>
> Those are required to move the SSL cert to a new server. IP address does
> not matter, just those 2 files...
>
> Now, the trick is to go find the .csr file that was used to create your .crt file,
> why? Because when you go to renew, you will need the .csr file and if you
> use the old one, it's much faster/easier to renew.
>
> If needed, contact me off list, I sell SSL certs.
> Carl
> http://www.carlc.com/
> _______________________________________________
> Talk mailing list
> Talk@flux.org
> http://www.flux.org/mailman/listinfo/talk