LINUXMAKER, OpenSource, Tutorials

Use multiple SSL certificates under Apache on the same IP address

SNI (Server Name Indication) - an extension of the Transport Layer Security (TLS) standard - allows multiple SSL certificates to be used on one IP address. Since the encrypted connection between server and client already takes place before the requested URL is transmitted, it is not possible with TLS 1.0 / SSL encryption to use multiple domains under one IP address (virtual hosts). The reason for this is that the server does not know which certificate - which only ever applies to one domain - must be used, since the possibility of virtual hosts was not provided for in the definition of SSL / TLS. SNI transfers the domain in the server_name parameter when the connection is established so that the server can select the appropriate certificate and use it for the TLS handshake.

To use multiple SSL certificates under Apache on the same IP address using SNI, you must first obtain an SSL certificate for each of your domains. Here CAcert is recommended, a certification center that is free and based on mutual trust.

It makes sense to outsource the SSL Virtual Hosts to a separate file, such as /etc/apache2/http.conf. There you have to create an appropriate virtual host for each desired domain. If an attempt is made to use SSL to access a domain for which no SSL certificate exists in your SNI list, the SSL certificate of the first virtual host in the list is always used and, if necessary, displayed in the error message.

 

The following setting is made in /etc/apache/httpd.conf:

SSLStrictSNIVHostCheck off

Then create a file for the SSL configuration under /etc/apache2/sites-enabled/ssl:

NameVirtualHost *:443

<VirtualHost *:443>
        ServerName www.excample1.com
        DocumentRoot /srv/www/project1
        SSLEngine on
        SSLCertificateKeyFile /etc/ssl-cacert/apache/apache_private1.key.decrypted
        SSLCertificateFile /etc/ssl-cacert/apache/apache_server1.crt
</VirtualHost>

<VirtualHost *:443>
        ServerName www.excample2.de
        DocumentRoot /srv/www/project2
        SSLEngine on
        SSLCertificateKeyFile /etc/ssl-cacert/apache/apache_private2.key.decrypted
        SSLCertificateFile /etc/ssl-cacert/apache/apache_server2.crt
</VirtualHost>
 

The new VirtualHost configuration still needs to be activated:

a2ensite ssl

Now restart the Apache server with "force-reload":

systemctl force-reload apache2