how to set up ssl for surgemail install with multiple domains

Matt Parker wrote:
> Howdy, 
> 
> We have several domains set up on our surgemail
installation. However, I 
> can't find a way to upload SSL certs for the various
domains. Does 
> anyone know how to do that? 
> 
> Thanks!
> --
> *Matt Parker*

You need to set g_ssl_per_domain to start with. Use the
admin GUI to 
search for it. Note that:
"Per domain SSL certificates can only be used with IP
based vdomains."

-- 
Neil Herber
Corporate info at http://www.eton.ca/

> Matt Parker wrote:
>> Howdy, 
>>
>> We have several domains set up on our surgemail
installation. However, I 
>> can't find a way to upload SSL certs for the
various domains. Does 
>> anyone know how to do that? 
>>
>> Thanks!
>> --
>> *Matt Parker*
> 
> You need to set g_ssl_per_domain to start with. Use the
admin GUI to 
> search for it. Note that:
> "Per domain SSL certificates can only be used with
IP based vdomains."
> 

Dave Collar wrote:
 > Does that mean I can set up a single ssl cert for all
non-IP based 
vdomains?
 >
 > Dave Collar
 >

The short answer is maybe.

SSL certs are tied to a specific domain name, not to a
particular IP. 
There are "wildcard" certs that match all
subdomains in a domain, so if 
you have one.example.com, two.example.com, and so on, a
single wildcard 
cert for example.com will match them all. But if your
domains are 
exampleone.com, exampletwo.com, and so on, then a wildcard
cert will not 
work.

Wildcard certs are usually about 5 times the cost of a
single domain cert.

If you just use a regular cert for several vdomains that
share an IP, 
then only the one that exactly matches will work as
expected. The others 
domains will cause error messages in browsers.


-- 
Neil Herber
Corporate info at http://www.eton.ca/

Can I have multiple different certs for the same IP or am I
forced to
establish dedicated IPs?

Dave Collar

 



 

 


-----Original Message-----
From: Neil Herber (nospam) [mailto:nospameton.ca]

Sent: Saturday, September 08, 2007 9:06 PM
To: surgemail-listnetwinsite.com
Subject: Re: [SurgeMail List] how to set up ssl for
surgemail install with
multiple domains

> Matt Parker wrote:
>> Howdy, 
>>
>> We have several domains set up on our surgemail
installation. However, I 
>> can't find a way to upload SSL certs for the
various domains. Does 
>> anyone know how to do that? 
>>
>> Thanks!
>> --
>> *Matt Parker*
> 
> You need to set g_ssl_per_domain to start with. Use the
admin GUI to 
> search for it. Note that:
> "Per domain SSL certificates can only be used with
IP based vdomains."
> 

Dave Collar wrote:
 > Does that mean I can set up a single ssl cert for all
non-IP based 
vdomains?
 >
 > Dave Collar
 >

The short answer is maybe.

SSL certs are tied to a specific domain name, not to a
particular IP. 
There are "wildcard" certs that match all
subdomains in a domain, so if 
you have one.example.com, two.example.com, and so on, a
single wildcard 
cert for example.com will match them all. But if your
domains are 
exampleone.com, exampletwo.com, and so on, then a wildcard
cert will not 
work.

Wildcard certs are usually about 5 times the cost of a
single domain cert.

If you just use a regular cert for several vdomains that
share an IP, 
then only the one that exactly matches will work as
expected. The others 
domains will cause error messages in browsers.


-- 
Neil Herber
Corporate info at http://www.eton.ca/

>> Matt Parker wrote:
>>> Howdy, 
>>>
>>> We have several domains set up on our surgemail
installation. However, I 
>>> can't find a way to upload SSL certs for the
various domains. Does 
>>> anyone know how to do that? 
>>>
>>> Thanks!
>>> --
>>> *Matt Parker*
>> You need to set g_ssl_per_domain to start with. Use
the admin GUI to 
>> search for it. Note that:
>> "Per domain SSL certificates can only be used
with IP based vdomains."
>>
> 
> Dave Collar wrote:
>  > Does that mean I can set up a single ssl cert for
all non-IP based 
> vdomains?
>  >
>  > Dave Collar
>  >
> 
> The short answer is maybe.
> 
> SSL certs are tied to a specific domain name, not to a
particular IP. 
> There are "wildcard" certs that match all
subdomains in a domain, so if 
> you have one.example.com, two.example.com, and so on, a
single wildcard 
> cert for example.com will match them all. But if your
domains are 
> exampleone.com, exampletwo.com, and so on, then a
wildcard cert will not 
> work.
> 
> Wildcard certs are usually about 5 times the cost of a
single domain cert.
> 
> If you just use a regular cert for several vdomains
that share an IP, 
> then only the one that exactly matches will work as
expected. The others 
> domains will cause error messages in browsers.
> 
> 
Dave Collar wrote:
 > Can I have multiple different certs for the same IP or
am I forced to
 > establish dedicated IPs?
 >
 > Dave Collar

You need to have separate IPs for the domains if they are
not subdomains 
  of a single higher level domain. In the subdomain case,
you should be 
able to use a single wildcard cert.

The reasons have to do with the SSL protocol. See here:
http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts


Could you please bottom-post when replying to make these
conversations 
easier to read? Thanks.

-- 
Neil Herber
Corporate info at http://www.eton.ca/

You usually need one IP address per certificate. Are you
using the certs for
webmail SSL or something else?

-Greg

-----Original Message-----
From: Dave Collar [mailto:dcollarnet-xcellence.com] 
Sent: Sunday, September 09, 2007 9:32 AM
To: surgemail-listnetwinsite.com
Subject: RE: [SurgeMail List] how to set up ssl for
surgemail install with
multiple domains

Can I have multiple different certs for the same IP or am I
forced to
establish dedicated IPs?

Dave Collar

 
-----Original Message-----
From: Neil Herber (nospam) [mailto:nospameton.ca]

Sent: Saturday, September 08, 2007 9:06 PM
To: surgemail-listnetwinsite.com
Subject: Re: [SurgeMail List] how to set up ssl for
surgemail install with
multiple domains

> Matt Parker wrote:
>> Howdy, 
>>
>> We have several domains set up on our surgemail
installation. However, I 
>> can't find a way to upload SSL certs for the
various domains. Does 
>> anyone know how to do that? 
>>
>> Thanks!
>> --
>> *Matt Parker*
> 
> You need to set g_ssl_per_domain to start with. Use the
admin GUI to 
> search for it. Note that:
> "Per domain SSL certificates can only be used with
IP based vdomains."
> 

Dave Collar wrote:
 > Does that mean I can set up a single ssl cert for all
non-IP based 
vdomains?
 >
 > Dave Collar
 >

The short answer is maybe.

SSL certs are tied to a specific domain name, not to a
particular IP. 
There are "wildcard" certs that match all
subdomains in a domain, so if 
you have one.example.com, two.example.com, and so on, a
single wildcard 
cert for example.com will match them all. But if your
domains are 
exampleone.com, exampletwo.com, and so on, then a wildcard
cert will not 
work.

Wildcard certs are usually about 5 times the cost of a
single domain cert.

If you just use a regular cert for several vdomains that
share an IP, 
then only the one that exactly matches will work as
expected. The others 
domains will cause error messages in browsers.


-- 
Neil Herber
Corporate info at http://www.eton.ca/

I'd like to clarify a couple of points mentioned in the
discussion.

Yes, in general in order to have a certificate per domain
you must have 
IP based domains and g_ssl_per_domain. The IP address is
used to 
determine the certificate selected serverside for the SSL
negotiation. 
This is the only information available at that stage as no
data has 
actually been sent across the link yet.

This means that you can only possibly have one certificate
per IP 
address. So if you want a certificate for each domain, each
domain must 
have its own IP address.

However... There are two ways of getting multiple domains
per 
certificate and thus per IP address:

SSL (x509 version 3) actually supports multiple domains per
certificate. 
These kinds of certificates are not common place yet and I'm
not sure 
how well supported they are. I've never actually
experimented with them 
so surgemail may not even support them and I suspect many
clients do not 
support them either. Aside from this, they are not
recommended as you 
would have to get the whole certificate to be reissued each
time you 
change a domain on your server - this is generally an
expensive exercise.

A wildcard certificate allows you to have multiple
subdomains on the 
same certificate. I think they are slightly better supported
than 
multiple domains per certificate. But still it is expensive
and does not 
help you if you have domains which are not subdomains of
your root domain.

So if you really need to support SSL I would suggest getting
a dedicated 
IP address for each domain you need to support this on.

Marijn

Dave Collar wrote:
> Can I have multiple different certs for the same IP or
am I forced to
> establish dedicated IPs?
>
> Dave Collar
>
>  
>
>
>
>  
>
>  
>
>
> -----Original Message-----
> From: Neil Herber (nospam) [mailto:nospameton.ca]

> Sent: Saturday, September 08, 2007 9:06 PM
> To: surgemail-listnetwinsite.com
> Subject: Re: [SurgeMail List] how to set up ssl for
surgemail install with
> multiple domains
>
>   
>> Matt Parker wrote:
>>     
>>> Howdy, 
>>>
>>> We have several domains set up on our surgemail
installation. However, I 
>>> can't find a way to upload SSL certs for the
various domains. Does 
>>> anyone know how to do that? 
>>>
>>> Thanks!
>>> --
>>> *Matt Parker*
>>>       
>> You need to set g_ssl_per_domain to start with. Use
the admin GUI to 
>> search for it. Note that:
>> "Per domain SSL certificates can only be used
with IP based vdomains."
>>
>>     
>
> Dave Collar wrote:
>  > Does that mean I can set up a single ssl cert for
all non-IP based 
> vdomains?
>  >
>  > Dave Collar
>  >
>
> The short answer is maybe.
>
> SSL certs are tied to a specific domain name, not to a
particular IP. 
> There are "wildcard" certs that match all
subdomains in a domain, so if 
> you have one.example.com, two.example.com, and so on, a
single wildcard 
> cert for example.com will match them all. But if your
domains are 
> exampleone.com, exampletwo.com, and so on, then a
wildcard cert will not 
> work.
>
> Wildcard certs are usually about 5 times the cost of a
single domain cert.
>
> If you just use a regular cert for several vdomains
that share an IP, 
> then only the one that exactly matches will work as
expected. The others 
> domains will cause error messages in browsers.
>
>
>   

-----Original Message-----
From: Surgemail Support (Marijn)
[mailto:surgemail-supportnetwinsite.com] 
Sent: Monday, September 10, 2007 7:56 PM
To: surgemail-listnetwinsite.com
Subject: Re: [SurgeMail List] how to set up ssl for
surgemail install with
multiple domains

I'd like to clarify a couple of points mentioned in the
discussion.

Yes, in general in order to have a certificate per domain
you must have 
IP based domains and g_ssl_per_domain. The IP address is
used to 
determine the certificate selected serverside for the SSL
negotiation. 
This is the only information available at that stage as no
data has 
actually been sent across the link yet.

This means that you can only possibly have one certificate
per IP 
address. So if you want a certificate for each domain, each
domain must 
have its own IP address.

However... There are two ways of getting multiple domains
per 
certificate and thus per IP address:

SSL (x509 version 3) actually supports multiple domains per
certificate. 
These kinds of certificates are not common place yet and I'm
not sure 
how well supported they are. I've never actually
experimented with them 
so surgemail may not even support them and I suspect many
clients do not 
support them either. Aside from this, they are not
recommended as you 
would have to get the whole certificate to be reissued each
time you 
change a domain on your server - this is generally an
expensive exercise.

A wildcard certificate allows you to have multiple
subdomains on the 
same certificate. I think they are slightly better supported
than 
multiple domains per certificate. But still it is expensive
and does not 
help you if you have domains which are not subdomains of
your root domain.

So if you really need to support SSL I would suggest getting
a dedicated 
IP address for each domain you need to support this on.

Marijn

Dave Collar wrote:
> Can I have multiple different certs for the same IP or
am I forced to
> establish dedicated IPs?
>
> Dave Collar
>
>  
>
>
>
>  
>
>  
>
>
> -----Original Message-----
> From: Neil Herber (nospam) [mailto:nospameton.ca]

> Sent: Saturday, September 08, 2007 9:06 PM
> To: surgemail-listnetwinsite.com
> Subject: Re: [SurgeMail List] how to set up ssl for
surgemail install with
> multiple domains
>
>   
>> Matt Parker wrote:
>>     
>>> Howdy, 
>>>
>>> We have several domains set up on our surgemail
installation. However, I

>>> can't find a way to upload SSL certs for the
various domains. Does 
>>> anyone know how to do that? 
>>>
>>> Thanks!
>>> --
>>> *Matt Parker*
>>>       
>> You need to set g_ssl_per_domain to start with. Use
the admin GUI to 
>> search for it. Note that:
>> "Per domain SSL certificates can only be used
with IP based vdomains."
>>
>>     
>
> Dave Collar wrote:
>  > Does that mean I can set up a single ssl cert for
all non-IP based 
> vdomains?
>  >
>  > Dave Collar
>  >
>
> The short answer is maybe.
>
> SSL certs are tied to a specific domain name, not to a
particular IP. 
> There are "wildcard" certs that match all
subdomains in a domain, so if 
> you have one.example.com, two.example.com, and so on, a
single wildcard 
> cert for example.com will match them all. But if your
domains are 
> exampleone.com, exampletwo.com, and so on, then a
wildcard cert will not 
> work.
>
> Wildcard certs are usually about 5 times the cost of a
single domain cert.
>
> If you just use a regular cert for several vdomains
that share an IP, 
> then only the one that exactly matches will work as
expected. The others 
> domains will cause error messages in browsers.
>
>
>   

Thanks.  The explanation has been thorough and informative.

Dave Collar