• 6
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Multiple SSL certificates on single Host, port and domain

Or ssl web site is accessed in 2 ways: 1) using web-browsers 2) using our client application

We want to bundle the client app with our own CA certificate (not trusted by browsers), in order to be 100% sure, that no one can access the encrypted data. (Even ones who operate trusted Intermediate CA). We want our app to trust only certificates signed by our CA.

And, of course, we want this site to open in browsers without warnings.

So, is there any way to put 2 certificates on single host, port and domain, one that is trusted by our app, and another trusted by the browsers?

UPD:

We can use a different host for app access, but out management do not want to take a risk of bad PR attacks against us targeted to semi-educated IT community (Imagine a publication, when someone points to our server and says "Ha-ha, they use a free self-signed certificate, they are so unsecure.")

ssl
    • Have you tried just concatenating the two certificates? When an intermediate certificate has to be presented in addition to a third-party signed cert, common practice is simply to cat the two certs into a single file, and have that presented to browsers. If browsers are happy with that, it may well be that they're also happy with two separate 3rd-party signed certs (one commercial, one from your CA) being presented.

You can't put 2 certificate for a single host. But you could easily have two vhost poiting to the same web application.

  • www.example.com for browser
  • app.example.com for the application

Each of them having their own certificate.

The main problem with that is that nothing prevent a browser user to use app.example.com and vice versa.

Another less elegant option would be a different port but the same domain.

  • www.example.com(:80) for browser
  • www.example.com:8080 for the application

You can only have one certificate by domain:port pair.

  • 1
Reply Report
      • 2
    • Seconded, and I'd recommend going with separate vhosts. It will also make it a lot easier if you ever need to run them on separate servers or split them up in some other way.

Trending Tags