Q. I’ve set up a shiny new SSL server (Apache) but now Firefox keeps saying "could not establish an encrypted connection because the certificate presented has an invalid signature." I know my certificate hasn’t expired. So what’s up?
A. Check your httpd.conf. If your SSL server is configured in its own Virtual Hosts section, ensure that the ServerName parameter exactly matches the common name listed in the certificate itself. For example, if the certificate is issued to www.example.com, ensure that the line is
You can’t, by the way, use SSL with name-based virtual hosts, only IP-based virtual hosts. This is because the SSL connection is established before the HTTP request is made, and it is the HTTP request that identifies to the server which name-based virtual host the client is attempting to contact. You can continue to serve your non-secure pages from a name-based virtual host, and begin serving your secure pages from an IP-based virtual host, but because these two hosts will need to have different IP addresses, they’ll also need to have different hostnames, such as www.example.com and secure.example.com. Of course, this will only work properly if you’ve had the foresight to issue a certificate to secure.example.com. If not, and all you’ve got is a certificate issued to www.example.com, then you’ll need to serve both secure and non-secure pages from the same IP-based virtual host.