Introduction
In this tutorial we will explain how to use multiple SSL certificates with one single IP address.
This technique allows Apache administrators to setup different websites with secured versions of http(s) protocol on a single IP address. As a result, users no longer need to purchase several IP addresses or different servers to host multiple secured sites. In order to accomplish this we need to make sure we're using Apache v 2.2.12 and OpenSSL v0.9.8 and later. You can use a transport layer security (TLS) called Server Name Identification (SNI) that sends the requesting client the certificates that matches the requested server name.
Notes:
This is a recently updated implementation with Apache, therefore, some older browsers do not provide SNI support.
The steps in this tutorial require the user to have root privileges. We will also assume Apache has been installed and properly configured.
As a precaution, make a backup of your current httpd.conf
file before making any modifications. Now, you have two options to make the necessary adjustments: First, modify the httpd.conf
file directly or; Two, create a new .conf
file and reference it in the original httpd.conf
If you opt for creating the separate .conf
file for the new Virtual Host you should add the following line to the current httpd.conf
file:
Include the_new_file.conf
For the rest of this tutorial we will be including the necessary modifications in the current httpd.conf
file
Create a new Virtual Host
In the VirtualHost
directive you should specify your VPS/Server's IP address. Remember, for the SSL protocol you will be using 443
as the default port. You can set a different number if you need to:
NameVirtualHost MY_SERVER_PUBLIC_IP:443 ServerAdmin [email protected] DocumentRoot /home/me/html/site1 ServerName mysite1.com ServerAlias www.mysite1.com SSLEngine on SSLCertificateFile /home/me/html/site1/ssl/mysite1_com.crt SSLCertificateKeyFile /home/me/html/site1/ssl/mysite1_com.key SSLCACertificateFile /home/me/html/site1/ssl/CA_bundle1.crt <Directory "/home/me/html/site1/"> Order deny,allow Deny from all Allow from all Options -Indexes ServerAdmin [email protected] DocumentRoot /home/me/html/site2 ServerName mysite2.com ServerAlias www.mysite2.com SSLEngine on SSLCertificateFile /home/me/html/site2/ssl/mysite2_com.crt SSLCertificateKeyFile /home/me/html/site2/ssl/mysite2_com.key SSLCACertificateFile /home/me/html/site2/ssl/CA_bundle2.crt <Directory "/home/me/html/site2"> Order deny,allow Deny from all Allow from all Options -Indexes
This configuration assumes you have copied the necessary certificates and corresponding key files to the /home/me/html/site1/ssl
directory.
Now, Apache will serve site1 and site2 and send the corresponding SSL certificate according to the requested name server.
With this process you can add as many individual websites and SSL certificates as you need. It will also work for Wildcard or UC certificates when several websites use the same certificate and public IP address.
Apply the changes
Now you need to restart Apache for the changes to take effect.
service httpd restart
If you did it correctly you should be able to access site1 and site2 without any problems or warnings from any SNI compatible web browser.
Thank you!
or