SSL API - Multi-Domain SSL Cert

dlogan

Verified User
Joined
Jan 4, 2007
Messages
18
I'm looking at making a plugin that will generate a Multi-Domain SSL Certificate whenever a domain name is added to the server, so that the default HTTPS connection will have a valid hostname for each domain on the box.

I've gotten the needed openssl commands and configuration file to create the proper certificate, I'm just not sure the proper way to integrate this with DA.

I've found a few vague references to DirectAdmin SSL api but I was wondering if there were more directions that were available somewhere on using this API, or if its better to just replace the files for the certificates directly.

It would be great if at leas there was some way with the API to replace the certificate per IP, giving a block command with an example certificate. (If possible leaving the original RSA private key untouched).

Thanks for your help.
 
Are you asking about a secure DirectAdmin login?

It'll be interesting to see if DirectAdmin supports a Multi-Domain SSL Certificate. Have you tried it already?

The DirectAdmin API reference is found here. If that doesn't fill your needs then you should probably create a program running as root to place the certificate and associated files manually.

HOWEVER ...

I presume you're writing about a self-signed Certificate. We're quickly moving away from self-signed Certificates because newest browsers pop up a warning when visiting a site using a self-signed certificate, telling users they should NOT continue.

My feeling is that this is going to create more support issues than either insecure DirectAdmin logins (which I do not recommend), or hostname-only DirectAdmin logins.

Jeff
 
Each ssl host needs its own ip address.

Thats simply not true. While you can only have one SSL certificate per IP address (This has to do with the certificate being sent before Apache knows anything about the vhost), RFC 2818 which defines the standard for certificates allows more than one domain on a single certificate. As a result you have have virtually unlimited hosts on a single certificate for a single IP.

Please see http://wiki.cacert.org/wiki/VhostTaskForce

I've got a working version of this that has SSL across an entire reseller account of 5-6 domains right now. It works great in both Firefox and IE (I haven't tested other browsers yet). As Jeff pointed out the certificates are "Signed from an untrusted source" (aka essentially self-signed, but I did bother to setup my own CA store).

By default I leave SSL enabled even for users who have not purchased a unique IP. If they choose to check the check-box to allow SSL for their domain, its enabled. Without the multi-domain certificate I created IE and Firefox complain that the certificate is not from a trusted source AND that the name on the domain does not match the name on the certificate.

By creating a plugin that automatically creates a multi-domain certificate I get rid of the "scarier" error message and my users who know what they're doing can change their logon pages for their blogs, etc, to use the https address and enjoy the benefit of an encrypted connection.

I have not yet setup HTTPS for the connection to DirectAdmin itself, but I probably will end up doing this. I plan on sending out a note to my users telling them how to import the root certificate to their Trusted Store. As a result they will not get any error messages on any of the sites hosted on my server.

Anyway, I'll dig through the Apache files and see if I can determine which of the certificates is the right one to replace :).
 
Are you asking about a secure DirectAdmin login?

It'll be interesting to see if DirectAdmin supports a Multi-Domain SSL Certificate. Have you tried it already?

I haven't actually used it for DirectAdmin yet, just for regular Apache HTTPS connections on several domains, but I can't imagine why it wouldn't work with DirectAdmin. I imagine DirectAdmin will just serve up the certificate like any other web server without actually looking at the file. The support for the multi-domain certificates would be on the web-browser side. I have confirmed my certificates work with both IE and Firefox, though I did have to add one more extra thing for Firefox to work.

The DirectAdmin API reference is found here. If that doesn't fill your needs then you should probably create a program running as root to place the certificate and associated files manually.

I did end up finding this:
http://www.directadmin.com/features.php?id=514

Which I might have to play around with and see if I understand it correctly, thanks!

HOWEVER ...

I presume you're writing about a self-signed Certificate. We're quickly moving away from self-signed Certificates because newest browsers pop up a warning when visiting a site using a self-signed certificate, telling users they should NOT continue.

My feeling is that this is going to create more support issues than either insecure DirectAdmin logins (which I do not recommend), or hostname-only DirectAdmin logins.

Jeff

I don't think I'm going to create any more support issues than leaving SSL on with the server's default certificate would cause. I also feel like I'm adding more benefit to my users. If I had a ton of IP addresses to share I would give everybody their own IP and cert, but that isn't really possible.
 
Last edited:
Trust me its true. Unless you patch apache and/or ssl its not going to work.
 
Trust me its true. Unless you patch apache and/or ssl its not going to work.

You have no clue what you are talking about. I have this working without any patches. I'm not just talking theory here, I have it setup on my site.

If you google "Multi-domain SSL certificate" you will even find that several of the verified certificate providers provide these certificiates. You will also find many people who have this working for years.

Anyway, I didn't post here asking for help on how to make the certificates and "if it is possible". I know it is possible, and I have it working. What I posted here was for assistance in using the DirectAdmin API to load and kick of the creation of one of these certificates I have made.
 
What did you do to get the multi-domain certificate working?

Will it work if refer to the (same multi-domain) SSLCertificateFile and SSLCertificateKeyFile in the httpd.conf ?
 
Back
Top