From info-cyrus Mon Aug 26 21:17:33 2002 From: Michael Fair Date: Mon, 26 Aug 2002 21:17:33 +0000 To: info-cyrus Subject: Re: My Take on Virtdomains so far X-MARC-Message: https://marc.info/?l=info-cyrus&m=103039790412743 > > > Other than that, I can add support for a tls_cert_dir which would have > > > one cert per address each using the domain as the name, ie > > > oceana.com.crt > > > > > My question is, do people also use a separate key file per-domain? I do, but more as a side effect of creating the certs one at a time and then just leaving the key as a separate file during that process. I'm still playing with this part of the virtual domain process. At the moment, rather than pay for a real cert I use the OpenSSL tools to setup each virtual domain as its own CA then distribute that CA key to each of the users. So far the only needs have been internal https, imaps, smtps (An e-commerce site would use a purchased signature). Setting up each virt domain as its own CA creates a lot of cruft and doesn't work too well with the Cyrus model of certs at the moment. Without understanding more about the two methods Ken posted earlier (which I need to understand myself), I was thinking about migrating to an "ISP CA" which then acted as the CA for each virt domain then I would just distribute the ISP's CA. Of course the one caveat with that approach is that all the "ISP" customers now automatically implicitly trust each other. While that isn't a major problem in the sense that actual usage shows they don't try and use each others internal services, it's an academic caveat nonetheless. I don't know how many others out there are like me, but feel I have much more of a trained monkey knowledge than an actual understanding of the SSL cert process. So while Ken's URLs solve the problem, it was immediately apparent to me how to test it to see if my favorite MUAs supported it. and the fight rolls on! Kudos Ken! This is very much a great first draft of a one-size fits all virtual domain implementation barring support for a protocol level way of detecting which domain an end user is trying to contact. It's much more advanced than any of the attempts I had made at writing the same kinds of code! I'm very grateful for the effort. -- Michael --