To start, this question might overlap with others but I almost feel like this is a Red Hat issue regarding the "how to properly configure it" part.
I have a few websites being served from the same IP address, no problems there. However, I want to give some of those websites a little protection through HTTPS. In RedHat, the ssl.conf file is referenced in the https.conf file and they seem to work well with each other.
Documentation had pointed me to creating a .conf file for every secure website I want and place that file in the /etc/httpd/conf.d/ directory which also contains the ssl.conf file. Assuming all the directives are set up properly, would i need to reference the ssl.conf file in the secureWesite.conf file placed in that directory?
Second, there is an option of giving apache its own key pair but when it comes to each website having its own key pair how would that work? Im not interested in paying $500 per year for the wild card cert so are there any options out there? I hold mention that I only have one IP address at this time.
Thank you for the assistance.
RedHat 6 supports using multiple individual certificates for multiple virtual hosts all on the same IP address. The technical term for this is "Server Name Indication" (SNI) You may essentially just give each site its own certificate, defined via the
SSLCertificateFiledirective in each Virtual Host config.Alternately, you could use a single UCC certificate with multiple Subject Alternative Names. This cert would list all the sites you host as alternative names, and would be used for every site. I would say SNI is the more 'official' way to do it, and makes it easier to move sites, revoke certificates, etc. But using UCC/SANs is perfectly viable, and might even be cheaper.
As far as multiple config files go, as John mentioned, it's a good practice, but not required. It makes comparing/modifying sites much easier than dealing with a single behemoth config.
You only need to reference the
ssl.conffile once, in the mainhttp.conffile. Dropping the one-config-file-per-vhost model intoconf.dis more of a "common practice" than a requirement. The problem you will run in to is that you can only have a single site per IP with non-wildcard SSL certificates. You can use self-signed certificates, but those will have their own set of issues to deal with on the client side.