Multiple SSL Web Sites On One IP Address With Apache (SNI)
Authorsupport support Article Reference NumberAA-04976 Views2980 0 Rating/ 1 Voters
How? Why? What?

To have multiple SSL certificates run on a single IP address we need to utilize SNI, Server Name Indication (SNI) is an extension to the SSL and TLS protocols that indicates what hostname the client is attempting to connect to at the start of the handshaking process. This allows a server to present multiple certificates on the same IP address and port number and hence allows multiple secure (HTTPS) websites to be served off the same IP address without requiring all those sites to use the same certificate. It is the conceptual equivalent to HTTP/1.1 virtual hosting for HTTPS.

To make use of SNI practical, it is necessary that the vast majority of users use web browsers that support it. Users whose browsers do not support SNI will be presented with a default certificate and hence are likely to receive certificate warnings. 

As of November 2012, the only major user bases whose browsers do not support SNI appear to be users of Internet Explorer 8 or below on Windows XP and versions of Java before 1.7 on any operating system, and Default Mobile Browsers

mod_guntld Method

Installing and Configuring

First we need to install mod gnutls

apt-get install libapache2-mod-gnutls


Now we need to disable modssl if it is not already disabled

a2dismod ssl


Now we enable guntls

a2enmod gnutls


Enable Apache to listen on 443

vi /etc/apache2/ports.conf


make sure the following information is present in the ports.conf file

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>


Comment out the following section

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>


Close and save the ports.conf file. Finally we create a ssl.conf file under /etc/apache2/ssl.conf

vi /etc/apache2/ssl.conf


Add the following vhost information modify the listed information as needed to reflect your actual domain names.

NameVirtualHost xx.yy.zz.kk:443
<VirtualHost xx.yy.zz.kk:443>
ServerName secure.domain1.com:443
GnuTLSEnable on
GnuTLSCertificateFile /etc/apache2/ssl-certs/secure.domain1.com.crt
GnuTLSKeyFile /etc/apache2/ssl-certs/secure.domain1.com.key
GnuTLSPriorities NORMAL
DocumentRoot /web/www1

</VirtualHost>

<VirtualHost xx.yy.zz.kk:443>
ServerName secure.domain2.com:443
GnuTLSEnable on
GnuTLSCertificateFile /etc/apache2/ssl-certs/secure.domain2.com.crt
GnuTLSKeyFile /etc/apache2/ssl-certs/secure.domain2.com.key
GnuTLSPriorities NORMAL
DocumentRoot /web/www2

</VirtualHost>


Now that the SSL vhosts are added in the newly created ssl.conf file add a line to your apache2.conf file

Include "/etc/apache2/ssl.conf"

Now that the ssl.conf file is included make sure your .key and .crt files are in the correct location and restart apache2

/etc/init.d/apache2 restart
Comments(0)
There are no comments for this article.
Info Add Comment
Nickname: Email (will not be shown): Subject: Comment:
Quick Jump Menu
Subscribe to updates Subscribe to Updates
Email to a frien Email to a Friend
Print Print Article
Info Vote
Info Ask a Question
Email (will not be shown): Subject: Question: