cPanel & WHM Version 92 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Multiple SSL certificates per virtualhost - Dual/Triple certificat setup with RSA,ECC,DSA

Dominic shared this idea 4 years ago
Open Discussion

Since Apache 2.4.8 [1] it's possible to define multiple SSL certificate type (RSA, ECC, DSA) per virtualhost.


Example

  1. <VirtualHost 194.126.200.29:443>

  2. ServerName example.com

  3. SSLEngine on

  4. # example.com_rsa.bundle.crt contains certificate and intermediates

  5. SSLCertificateFile /etc/ssl/cert/example.com_rsa.bundle.crt

  6. SSLCertificateKeyFile /etc/ssl/key/example.com_rsa.key

  7. SSLCertificateFile /etc/ssl/cert/example.com_ecc.bundle.crt

  8. SSLCertificateKeyFile /etc/ssl/key/example.com_ecc.key

  9. </VirtualHost>


The current SSL management within cPanel is limited to one certificate

per virtualhost. It would be nice, if the SSL manager core could support

multiple certs of different Public key algorithm types per virtualhost.


When using a dual/tripple cert setup, the certificate and the

intermediate certificates have to be combined in one file. Otherwise

Apache is not able to determine which intermediate belongs to an

certificate. This is an additional change of the SSL core system. The

combination of certificate and intermediates can be performed/released

first. This is the base for a multi certificate support.


What are the advantages of a dual/triple cert setup?


Support for a ECC certs (small key size, low latency, speed) with an fall-back to RSA if a client has no support for ECDSA [2].


The Wikimedia Ops people have a very interesting thread [3] about their dual cert setup.


Who is using this setup?


  • facebook.com
  • wikipedia.org
  • stackoverflow.com
  • t.co


[1] https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile


[2] https://istlsfastyet.com/#ecc


[3] https://phabricator.wikimedia.org/T86654

Comments (1)

photo
1

This is needed as we are moving away from RSA certs, and all modern OSes support ECDSA certs (since Vista/Server 2008).