[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] SSL and root domain

Subject: Re: [cobalt-users] SSL and root domain
From: Jeff Lasman <jblists@xxxxxxxxxxxxx>
Date: Thu Feb 10 11:46:09 2000

At 05:59 PM 2/9/00 -0500, you wrote:

Greetings Group,

I've searched the archives regarding SSL certificates, but I've not found
anything in the archives that touches on this question..

I'm curious - should (can) an external 128-bit SSL certificate be installed
in the RaQ3's default domain cert folder (/home/sites/home/certs)?  I want
to be able to use/map this external certificate so it can be used with
virtual hosts (shared IP).

For example if I have a virtual host named www.theirsite.com, I want to be
able to allow them access to *our* certificate via
https://mydomain.com/theirsite/folder/file.htm

Physically you should be able to do this, although I'd use <file.html>rather than <file.htm>; maybe I'm just a linux purist <smile>.

I'd also use <secure.mydomain.com> rather than just <mydomain.com>. It'sless confusing the define a different service name since it's a differentservice. You can even set up a dummy page so that people who type in<http://mydomain.com/theirsite...> or just <mydomain.com/theirsite...>would automatically get redirected to<https://secure.mydomain.com/theirsite...>.

Of course representatives at both Verisign and Thawte will tell you thatyou can't do this under their license. They'll say you need a separatecertificate for each domain. But some of the big hosting companies doit. Does might make right <wry grin>?

You MIGHT take on some perceived obligation by doing it; visitors to yourclient's website MIGHT think you're providing security; if one of yourclients misused (even accidentally) his customer's credit card number, forexample, some overachieving attorney <wry grin> might decide to let thecourts decide if YOU were liable because you provided the certificate.

Don't forget that the legal purpose of the certificate is to provideIDENTITY as well as SECURITY. Do you really want to be in the business ofguaranteeing who your customers are? Of course lots of big companies do itthis way; I'm not telling you not to.

I configured the initial IP (in the LCD window) on the system as:

pandora.xyz.com  - (/home/sites/home)

Then I added my actual domain using another IP as:

www.xyz.com  - (/home/sites/site1)

Which is the proper setup??

Your actual domain name is NEITHER <pandora.xyz.com> NOR is it<www.xyz.com>. Your actual domain name is most likely <xyz.com>. Pandorais the name of a physical machine, since you seem to have configured themachine with that name. www is the name of a service, which is on the samemachine.


It COULD share the same IP#, or use a different one; it really doesn't matter.

The two important (to some people) things that you can't do when you shareIP#s are anonymous FTP hosting for the domain, AND secure servers (asyou've probably noticed <wry grin>).


Jeff
--
Jeff Lasman <jblists@xxxxxxxxxxxxx>

References:
- [cobalt-users] SSL and root domain
  - From: Craig S. N.

Prev by Date: RE: [cobalt-users] propagation.. & analog
Next by Date: RE: [cobalt-users] mySQL
Previous by thread: [cobalt-users] SSL and root domain
Next by thread: [cobalt-users] [RAQx] Security Solutions

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index