1. Home
  2. VPS
  3. Using Multiple SSL Certificates in Apache with One IP Address

Using Multiple SSL Certificates in Apache with One IP Address

Rsdaa 10/02/2022 153

About the TLS Extension Server Name Indication (SNI)

When website administrators and IT personnel are restricted to use a single SSL Certificate per socket(combination of IP Address and socket) it can cost a lot of money. This restriction causes them to buy multiple IP addresses for regular https websites from their domain host or buy hardware that allows them to utilize multiple network adapters.

However, with Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious—you can secure more websites without purchasing more IP addresses or additional hardware.

Since this is a fairly recent update with Apache, browsers are only recently supporting SNI. Most current major desktopand mobile browsers support SNI. One notable exception is that no versions of Internet Explorer on Windows XP support SNI. For more information on which browsers support SNI, please seeSNI browser support.

To use SNI on Apache, please make sure you complete the instructions on the Apache SSL installation page. Then continue with the steps on this page.

Setting up SNI with Apache

To use additional SSL Certificates on your server you need to create another Virtual Host. As a best practice, we recommend making a backup of your existing .conf file before proceeding. You can create a new Virtual Host in your existing .conf file or you cancreate a new .conf file for the new Virtual Host. If you create a new .conf file, add the following line to your existing .conf file:

Include my_other_site.conf

Next, in the NameVirtualHost directive list your server's public IP address, *:443, or other port you're using for SSL (see example below).

Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:

NameVirtualHost *:443<VirtualHost *:443> ServerName www.yoursite.com DocumentRoot /var/www/site SSLEngine on SSLCertificateFile /path/to/www_yoursite_com.crt SSLCertificateKeyFile /path/to/www_yoursite_com.key SSLCertificateChainFile /path/to/DigiCertCA.crt<VirtualHost *:443> ServerName www.yoursite2.com DocumentRoot /var/www/site2 SSLEngine on SSLCertificateFile /path/to/www_yoursite2_com.crt SSLCertificateKeyFile /path/to/www_yoursite2_com.key SSLCertificateChainFile /path/to/DigiCertCA.crt

If you have a Wildcard or Multi-Domain SSL Certificate all of the websites using the same certificate need to referencethe same IP address in the VirtualHost IP address:443 section like in the example below:

<VirtualHost 192.168.1.1:443> ServerName www.domain.com DocumentRoot /var/www/ SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt<VirtualHost 192.168.1.1:443> ServerName site2.domain.com DocumentRoot /var/www/site2 SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/DigiCertCA.crt

Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems.You can add as many websites or SSL Certificates as you need using the above process.


PREV: Help please. Oculus rift setup prob

NEXT: Fix: Can't Reach Oculus Runtime Service - Appuals.com

Popular Articles

Hot Articles

Navigation Lists

Back to Top