Multiple IP on same NIC, and EV SSL Cert

Discussion in 'Installation/Configuration' started by MisterVlad, Sep 14, 2007.

  1. MisterVlad

    MisterVlad New Member

    Ok, i saw a post similar to this, but i need some clarification.

    I was told that to get an EV SSL cert, that they are based on an IP address, and that it will only cover 1 url, on that IP.

    SO, for my question, is it possible to set up multiple IP addresses on the single NIC, and then set up the EV SSL cert for that one URL / IP, for multiple IP's?

    So in essence, i would have say, 10 EV certs on my server, and the server then would have 11 IP addresses? (this is just an example)

    Is this possible? and if so, can you maybe point me in the right direction on how to go and configure this?

    Thanks in advance!

  2. chuckl

    chuckl New Member

    As a general rule, if you are using SSL on a website you need an IP address per SSL cert/SSL site. It is not a limitation of the certificate per se, but is a limitation/feature of SSL.

    The more serious problem is usually that home routers can only route ports to one IP or one DMZ host, so in order to implement your solution you would need a more upmarket router, or a carefully set up proxy in front of the web server, which brings in a whole new set of problems, not least of which is that the proxy needs ssl as well.

    Setting up multiple IP's on a single NIC is not diffcult, but differs slightly from distro to distro, so you op sys would be useful to know
  3. MisterVlad

    MisterVlad New Member

    I have a dedicated server that i manage in a data center, so they have all that set up there. My server is unmanaged, so i use SSH to maintain it, and it is up and running fine.

    The OS is Debian 4.0 Etch, based on the install that I d/l from here, with a few tweaks and such.

    When i leased the server, for some reason i asked for 2 IP addresses, i dont know why i did that at the time, but anyway, i have the second IP that is not in use, so when the question came up to me about getting an SSL for a client, i looked into it, and found out that it was an IP based SSL, so then i remembered that i had that other IP address, and i was looking at how to implement it onto my existing server.

    I hope that clarifies that a little more, being that it is not a home based server, it is in a data center at a remote location.

  4. chuckl

    chuckl New Member

    That certainly makes it a bit easier for you. On debian/ubuntu installs, you simply edit /etc/network/interfaces and add aliases, or use ifconfig to add them. The aliases are the network interface with a :0 or :1 etc added - etho:0, eth1:1

    /usr/sbin/ifconfig eth0:0
    /usr/sbin/ifconfig eth0:1

    and so on. If you add one and examine /etc/network/interfaces, you should see the changes.

    You will of course need to assign each website to an IP, change the listen address configuration for Apache, and set up the ssl on each one. DNS will have to point to the coorect IP for each website as well.
  5. MisterVlad

    MisterVlad New Member

    Thanks! but i do have 1 more question, will apache listen on 2 ip's? i haven't looked at the conf file for a while, so i can't think off the top of my head, and to save my hair and a headache, i thought i would ask here ;)

    I use zoneedit to manage my DNS, so i can point any url to any IP pretty easy, even sub domains to differnet ip's. (not that you prolly dont already know that).

    Will it be difficult to handle the SSL within the same apache server, even if like in my example i use 10 different ip addresses?

    Just putting it out there, it is friday and i am tired ;)

  6. MisterVlad

    MisterVlad New Member

    so here is what i do right now with my self signed ssl cert. I have a separate ssl_enabled directory in teh apache2 directory, and i have these listed as the entry for the SSL
    <VirtualHost *:443>
    	ServerAdmin [email protected]
    	SSLEngine on
    	SSLCertificateFile /path/to/sslcert/certname.pem
    	DocumentRoot /path/to/resold/
    	<Directory "/path/to/resold/">
    		Options Indexes FollowSymLinks MultiViews
    		AllowOverride None
    		Order allow,deny
    		allow from all
    	ErrorLog /path/to/logs/apache2/ssl.subdomain.domainname.com_error.log
    	# Possible values include: debug, info, notice, warn, error, crit,
    	# alert, emerg.
    	LogLevel warn
    	CustomLog /path/to/logs/ssl.subdomain.domainname.com_access.log combined
    	ServerSignature On
    and in my apache.conf file (at the bottom) i do:
    NameVirtualHost *:80
    # Include the virtual host configurations:
    Include /path/to/sites-enabled/
    NameVirtualHost *:443
    # Include the virtual host configurations for ssl:
    Include /path/to/ssl-enabled/
    I am sure that there is another more better way to do this, but that what i researched and came up with.

    if there are multiple subdomains that the customer asks to have on ssl, I just copy and paste and change the subdomain info.

    I hope that is accurate?

    and would i just change the *:443 and the *:80 to reflect the actual IP address that I am setting it too?
    Last edited: Sep 14, 2007
  7. chuckl

    chuckl New Member

    To be honest, I use ISpConfig to manage all that, much quicker and easier. And I'm not going near the whole IP based Virtual Hosts/Name Based VH thing.

    Don't forget configs like this




    Don't forget the ports.conf to listen on both ports, and make backup copies of the files before getting too inventive
  8. chuckl

    chuckl New Member

    And I always forget the obvious, don't forget to

    a2enmod mod_ssl

    to enable the mod_ssl module
  9. MisterVlad

    MisterVlad New Member

    This should already be enabled since i already have a self signed 256bit SSL cert?
    the issue i am running into, is that it is not a trusted SSL, and my clients need/want that.

    now, if I can only figure out IPTables, and such, i would be all set, that way i can set up my FTP on a single IP, and only allow 2 ports (ftp and sftp), and then the http would be on their ips, and the mail on its... i dunno... too much work, not enough time
  10. chuckl

    chuckl New Member

    If the ssl cert does not have a root cert distributed with the browsers, then it's not worth paying money for it. You may as well sign up and issue your own. Are you sure that it does not simply require a chain certificate installed on the browser as well? e.g. You have a cert for issued by What you are missing is the chain cert linking back to the biggie who has a cert distributed with the browsers. Usually its a download linked somewhere on the issuers website.

    On the iptables, ftp side, I'm pretty sure there are HowTo's floating round here on the site.

Share This Page