Forum Moderators: phranque
I decided since I'd had a good year to invest in some new web servers and firewalls as the ones I am currently using we kinda cobbled together in a 'just use what I can find' way. I think one is a P3 800Mhz with 384Mb RAM! ;)
Anyways, I now have 3 locations, so bought 3 new decent spec 'servers' and some hardware VPN firewalls.
Now, I know how to connect it all up and structure the network, basically I'll have 3 subnets 10.1.x.0/24 where x is 1, 2 or 3 for each location. These will all be connected by hardware VPN on the routers so the servers will all talk to each other without having to have 4 IP's each!
But, that aside 'cos it's not really relevant to my question, I want to set up some SSL hosting, I've not had a requirement for it before. Each location has at least 1 static IP, which the routers currently NAT to the server which uses host headers to determine the relevant site.
Will the NAT IP translation break the SSL certificates? Or will the client see the external IP as the server address and accept them? Can you issue multiple certificates to the same external IP (with different domain names)?
Is there a way of preventing any internal DNS name or IP address appearing on outgoing email headers when using Exchange for email hosting?
ok, I know all that's a bit of a mouthful, but if anyone can offer any advice I'd appreciate it.
Will the NAT IP translation break the SSL certificates?
SSL certificates themselves are bound to domain names, not to IP addresses. There shouldn't be a problem when connecting to them via a different IP than the server itself.
Can you issue multiple certificates to the same external IP (with different domain names)?
No. Although the SSL certificate is not IP bound, the way the HTTPS protocol handles encrypted connections is. You cannot assign Virtual Hosts as you can with with normal HTTP connections because all data in a request from the visitor to the server is encrypted, including the header with the name of the server you want to connect to. The encryption is performed with the SSL certificate. If you would install a second SSL certificate on the same IP, that certificate wouldn't be able to decrypt the info encrypted with the first certificate, practically limiting the number of active SSL certificates per IP address to one.
There is one way to have more SSL sites on one IP address and that is with wildcard certificates. Some authorities issue certificates which are valid for *.example.com. In that case all subdomains, i.e. sub1.example.com, sub2.example.com, etc can share one certificate and one IP address.
If you would install a second SSL certificate on the same IP, that certificate wouldn't be able to decrypt the info encrypted with the first certificate
That would be fine, this is for a web hosting setup so the sites would be completely separate, like...
secure.domain1.com
secure.domain2.co.uk
etc....
