Using Multiple SSL Certificates in Apache with One IP Address

About the TLS Extension Server Name Indication (SNI)

When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. This restriction causes them to buy multiple IP addresses for regular https websites from their domain host or buy hardware that allows them to utilize multiple network adapters.

However, with Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious—you can secure more websites without purchasing more IP addresses or additional hardware.

Since this is a fairly recent update with Apache, browsers are only recently supporting SNI. Most current major desktop and mobile browsers support SNI. One notable exception is that no versions of Internet Explorer on Windows XP support SNI. For more information on which browsers support SNI, please see SNI browser support.

To use SNI on Apache, please make sure you complete the instructions on the Apache SSL installation page. Then continue with the steps on this page.

Setting up SNI with Apache

To use additional SSL Certificates on your server you need to create another Virtual Host. As a best practice, we recommend making a backup of your existing .conf file before proceeding. You can create a new Virtual Host in your existing .conf file or you can create a new .conf file for the new Virtual Host. If you create a new .conf file, add the following line to your existing .conf file:

Include my_other_site.conf

Next, in the NameVirtualHost directive list your server’s public IP address, *:443, or other port you’re using for SSL (see example below).

Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

NameVirtualHost *:443

<VirtualHost *:443>
 ServerName www.yoursite.com
 DocumentRoot /var/www/site
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

<VirtualHost *:443>
 ServerName www.yoursite2.com
 DocumentRoot /var/www/site2
 SSLEngine on
 SSLCertificateFile /path/to/www_yoursite2_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite2_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

If you have a Wildcard or Multi-Domain SSL Certificate all of the websites using the same certificate need to reference the same IP address in the VirtualHost IP address:443 section like in the example below:

<VirtualHost 192.168.1.1:443>
 ServerName www.domain.com
 DocumentRoot /var/www/
 SSLEngine on
 SSLCertificateFile /path/to/your_domain_name.crt
 SSLCertificateKeyFile /path/to/your_private.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>
<VirtualHost 192.168.1.1:443> ServerName site2.domain.com DocumentRoot /var/www/site2 SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt </VirtualHost>

Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems. You can add as many websites or SSL Certificates as you need using the above process.

Similar Posts