I need someone to explain, in terms even I can understand, exactly
what my requirements for licensing are in order to setup a secure
server. I've read and read and searched and searched, and am
perfectly willing to concede that it's lack of gray matter hindering
me from finding the answers. Be that as it may, I really, really need
answers, so I'm hoping this will help.
First, a brief synopsis of what I'm trying to do, then my questions:
I am currently running Apache 1.3.4 with some virtual servers on a
Linux box. Working great, no problems. I want to do some e-commerce
on some (not all) of those virtual hosts, which means I want SSL so
that I can take credit card orders and give the customer a warm fuzzy
about his "security" in the transaction.
So far so good. However, being the gotta-meddle-with-the-code kinda
person I am, I really, really want to build my own server. I don't
want to buy Stronghold or RedHat's Secure Server; I want to build my
own. But since I'm in the U.S., my understanding is sort of that it's
worse than pulling teeth to try to handle licensing directly with RSA,
and that's why you pay these folks for a secure server.
So, my questions are these:
1) Is it possible and feasible and practical to roll my own server
from Apache1.3.4+mod_ssl+SSLeay+RSARef and use it for commercial
purposes for multiple hosts (sort of like an ISP, except that we're
not an ISP exactly)? Is it really more trouble than any sane person
would ever want to get into?
2) If I buy the secure module from http://raven.covalent.com, which
includes a license from RSA, and build Apache with it, may I host
multiple secure servers on that one Apache installation without
getting into hot water?
3) Likewise, if I buy a single copy of Stronghold, or Redhat's secure
server, can I run virtual hosts and have multiple sites doing secure
commerce on that one server without violating some bizarre license
agreement that I probably wouldn't understand anyway?
4) If I purchase a certificate (or receive one as part of a package,
as with Stronghold or RSS), may I use that same certificate for all my
virtual hosts, or does each entity need his own certificate? Or is
that my choice whether I let them all piggyback on my certificate?
5) If I have to buy a secure Apache server pre-built, why would I pay
near 10 times as much for Stronghold as for Redhat's Secure Server?
Is there that much difference between them?
Thanks for any and all help, pointers, info, etc., that anyone can
C/Linux/Email/Samba/Web guy for rent
"The web goes ever, ever on, down from the site where it began..."