PositiveSSL Multi-Domain Certificate


Is it possible to use a PositiveSSL Multi-Domain Certificate (http://www.positivessl.com/ssl-certificate-products/ssl/multi-domain-ssl-certificate.html) on my Virtualmin Pro server as I only have 1 IP Address but have several clients who want to have Secure Sites?


Not possible with the current way VM is setup to work. RFC dictates that all SSL sites MUST have its own IP for security purposes. Sharing a single IP for that breaks the SSL security layers.

I’d really appreciate if VM would support this. We are going to host several CRM-sites on the same server. The communication to each of the sites has to be protected by SSL. Of course we could use a wildcard certificate and several sub-domains, but our customers want their own domain as url. Since I’m able to setup a multi-domain certificate in apache’s config-files, I see no reason why it should be impossible to do so in connection with virtualmin.

I wanted to look into this same issue - as I have a cert config I need to rethink. This issue is common - and methods are being developed to find a solution in the context of "typical" apache config.


This seemed promising. It would still be awesome to see Virtualmin use one of these possible solutions.

If we are going to vote on this issue I’d like to say Yea. I have multiple sites and with CMS that use the same IP address I have no other option and adding multiple Nics and IP address is very expensive and for legitimate sites its not a security risk. Security is one issue; but you’ll never convince me that by tying a cert to an IP address is more secure than tying it to an IP Address and binding it to a URL; I understand that IP addresses need to be in the equation; lets face it a lot of crooks out there can change IP address in a heart beat; but in reality it doesn’t work very well to hide a crime; even a temp or dynamic IP address can be traced back to its source for a given time and date stamp; can’t even hide behind a proxy anymore; so security risk isn’t an issue here; can’t make us pay for crimes we are not trying to commit; I understand your concern for security; but try to understand our needs also. If there is a way then I for one would also like to see it happen.
I’ve used a lot of control panels; this one is by far the best; by adding this one feature it will be even better. I only host my own sites on my own computers at my house; I spent the money on this program and it was worth it; this program rocks; adding this feature will rock even more.

Hey guys,

I’m getting the feeling that a lot of folks want to be able to use name-based SSL. :wink:

There are a few problems at this stage…but it’s on our radar, and I won’t rule out adding support in the next month or two.

But, I’ll take this opportunity to point out the problems:

  1. Non-standard Apache module. The security history of the module is pretty short…and its lack of popularity means that it hasn’t been tested by the serious white hat and black hat security people. Since security is the whole point, it’s a bit of a problem. So, though mod_gnutls has been around for a couple of years, it’s not been used heavily enough for anyone to be sure it can be counted on.

  2. Browser support is weak. This explains number 1 above. The reason it’s not more popular is because a large percentage of browsers don’t support the new protocol. IE up until 7 don’t support it. The vast majority of mobile device browsers don’t support it. Most of the text-mode browsers (which means many that are used by blind folks with readers) don’t support it. Safari didn’t support it last time I looked hard enough, but it might by now (that was months ago…maybe even more than a year ago). If your userbase is technically proficient, they’re probably running Firefox or Opera and won’t be negatively impacted…but if they’re older folks who never upgrade their system and are still running the IE that shipped with the box (my dad does this, even though I’ve shown him how to upgrade) it just won’t work. And, of course, those same technically savvy users that have the latest browser on their PC are also most likely to browse you on on their phone…which probably doesn’t have support for this protocol. Drat, foiled again!

It’s chicken vs egg, and the tide turns slowly. (Mixing metaphors is good for ones intellect.)

But, I suppose we should become part of the tide that’s pushing towards a better secure protocol on the web (look at that, I just talked myself into it!). I’ll make sure the module is available on all of our platforms, and ask Jamie to add support soon. It won’t make the next release, but we might be able to get it into the one after that.

Glad to hear that!

Maybe I am missing the obvious - but is there a "roadmap" page of what features are up-and-coming? Granted - aside from bug fixes and OS variants/support, a list of planned features?

Thanks for staying on the applicable edge…

Joe supporting this is a bad idea – very bad and its only going to lead providers like me unhappy.

Joe supporting this is a *bad* idea

Aside from the two problems I mentioned above (which I certainly consider serious problems), what makes it a bad idea?

It would obviously be optional, as for serious corporate websites, it just wouldn’t make sense. But for the folks who’ve historically been doing crazy stuff like running all SSL sites on the same certificate and pretending like it’s secure, this is almost certainly a positive improvement (assuming the security of mod_gnutls is solid).

It’ll be a couple more years before this is something you could confidently suggest for an ecommerce website. But for folks who just want their passwords to not be plain text, it could be a win.

Not thrilled at all…

I can list many reasons for this to be a good idea; the only reason I think anyone would think its a bad idea is if they really didn’t fully understand the concept or implementation; I don’t mean this is a bad way (no easy way to say this; I don’t know or assume to know your knowledge about this matter; but I believe the less I know about something the stronger my conviction is; the human syndrome); but from an ISP’s point of view it may mean you’re not selling as many IP Addresses; I don’t see this as a issue personally; we need to conserve IP addresses; IPV6 may give us more head room but its not here yet and isn’t a real solution; why do I need more than one IP address to start with? Selling more certificates; not an issue; in fact I’m trying to make a point for the ISP but I’m not doing so well; maybe you can express your reasons more clearly than just bad idea… maybe me; but I still think this is the best idea I have heard of in a long time; it opens up doors to do things I can’t do now; SSL for one; I can only get 14 IP addresses to my location (I still believe I need only 1 remember); and each go to a server; if I have 20 web sites on each server; then I can’t offer SSL at all; unless your doing dedicated servers; small guys like me who can’t afford the equipment to compete with the big guys can’t compete at all; in fact I can’t service my own web sites with SSL let alone my customers. So please enlighten us to why this is a bad idea with specifics if you can and then I and others will have something to consider; I know you have your reasons; please share them, we all are interested in your opinion.