Ssl – Can one domain have 2 or more SSL certificates

certificatedomainSecuritysslx509

I have googled and found this post: https://security.stackexchange.com/questions/46988/is-it-technically-possible-to-configure-two-different-ssl-certificates-for-the-s

If it actually is possible, then what stops me, say from getting an SSL certificate for paypal.com(or some important website), somehow get users to arrive into my website/server using this new certificate(cache poisoning, something else, doesn't matter really) and fake the website while doing nasty things like stealing data etc. etc. ?

Best Answer

SSL vendors will not sell you a certificate for PayPal.com. The entire point of Certification Authorities is to have organizations in charge of validating that you control the domain in question.

The linked question involves two different SSL certificates but both for example.com. Both certificates would require the person requesting them to demonstrate control of example.com prior to having them generated by the CA.

Related Solutions

Apache – Configuring SSL VirtualHosts on a Single IP with UCC/SAN Certificate

I tested this on my apache 2.2.14 instance and it worked fine:

Use the NameVirtualHost directive (to ports.conf):

NameVirtualHost *:443

define your vhosts:

<VirtualHost *:443>
  ServerName www.siteA.com
  DocumentRoot "/opt/apache22/htdocs/siteA"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>
<VirtualHost *:443>
  ServerName www.siteB.com
  DocumentRoot "/opt/apache22/htdocs/siteB"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>

I used this link as a resource.

Security – Our security auditor is an idiot. How to give him the information he wants

First, DON'T capitulate. He is not only an idiot but DANGEROUSLY wrong. In fact, releasing this information would violate the PCI standard (which is what I'm assuming the audit is for since it's a payment processor) along with every other standard out there and just plain common sense. It would also expose your company to all sorts of liabilities.

The next thing I would do is send an email to your boss saying he needs to get corporate counsel involved to determine the legal exposure the company would be facing by proceeding with this action.

This last bit is up to you, but I would contact VISA with this information and get his PCI auditor status pulled.

Best Answer

Related Solutions

Apache – Configuring SSL VirtualHosts on a Single IP with UCC/SAN Certificate

Security – Our security auditor is an idiot. How to give him the information he wants

Related Topic