How To Set Up Multiple SSL Host With A Single Apache Server


In this article, we will show you how to set up multiple SSL Certificates on a CentOS with Apache using a single IP address only. In general, a website administrator is restricted to use a single SSL Certificate per socket with an IP which will cost a lot of investment to the company. This restriction may lead them to buy multiple IP addresses for HTTP’s websites for their domain hosting or buy hardware that allows them to utilize multiple network adapters.

This is allowed by an extension to the SSL protocol called Server Name Indication (SNI). Most current desktops and mobile web browsers support SNI. The main benefit of using SNI is the ability to secure multiple websites without purchasing more IP addresses.

Configuration

Make sure the mod_ssl security module is installed and enabled so the Apache web server can use the OpenSSL library and toolkit:

# yum install mod_ssl openssl

Execute the Below Commands

# mkdir -p /etc/httpd/ssl/
# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
# cd /etc/httpd/ssl/

Generating SSL Certificate Signing Requesting Files for your Domains

# openssl genrsa -out mydomain1.key 2048
# openssl req -new -key mydomain1.key -out mydomain1.csr
# openssl genrsa -out domain2.key 2048
# openssl req -new -key mydomain2.key -out mydomain2.csr
Enter the following details for your certificates:
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Telengana
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mydomain1.com
Organizational Unit Name (eg, section) []:mydomain.com
Common Name (e.g. server FQDN or YOUR name) []:mydomain1.com
Email Address []:sslcertificate@domain1.com

It is recommended to install commercial SSL certificates when we are deploying in a production environment. Or, we just generate self-signed SSL certificate which is used for development purpose or staging a website using the below commands

# openssl x509 -req -days 365 -in mydomain1.csr -signkey mydomain1.key -out domain1.crt
# openssl x509 -req -days 365 -in mydomain2.csr -signkey mydomain2.key -out mydomain2.crt

Editing the ‘ssl.conf’ Apache Configuration File

# vi /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443
     SSLPassPhraseDialog  builtin
     SSLSessionCacheTimeout  300
     SSLMutex default
     SSLRandomSeed startup file:/dev/urandom  256
     SSLRandomSeed connect builtin
     SSLCryptoDevice builtin
     SSLStrictSNIVHostCheck off
<VirtualHost *:443>
      DocumentRoot /var/www/html/mydomain1
      ServerName mydomain1.com
      ServerAlias www.mydomain1.com
      SSLEngine on
      SSLProtocol all -SSLv2 
      SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
      SSLCertificateFile /etc/httpd/ssl/mydomain1.cr
      SSLCertificateKeyFile /etc/httpd/ssl/mydomain1.key
      ErrorLog logs/ssl_error_log
      TransferLog logs/ssl_access_log
      LogLevel warn
      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
               SSLOptions +StdEnvVars
      </Files>
      SetEnvIf User-Agent ".*MSIE.*" \
      nokeepalive ssl-unclean-shutdown \
      downgrade-1.0 force-response-1.0
      CustomLog logs/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" 
</VirtualHost>
<VirtualHost *:443>
      DocumentRoot /var/www/html/mydomain2
      ServerName mydomain2.com
      ServerAlias www.mydomain2.com
      SSLEngine on
      SSLProtocol all -SSLv2
      SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
      SSLCertificateFile /etc/httpd/ssl/mydomain2.crt
      SSLCertificateKeyFile /etc/httpd/ssl/mydomain2.key
      ErrorLog logs/ssl_error_log
      TransferLog logs/ssl_access_log
      LogLevel warn
      <Files ~ "\.(cgi|shtml|phtml|php3?)$">
           SSLOptions +StdEnvVars
      </Files>
      SetEnvIf User-Agent ".*MSIE.*" \
      nokeepalive ssl-unclean-shutdown \
      Downgrade-1.0 force-response-1.0
      CustomLog logs/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

When we are using a commercial SSL certificate, it is likely that, the signing authority will include an intermediate CA certificate. In that case, we create a new ‘/etc/httpd/ssl/ca.crt’ file and paste the contents of the Intermediate CA into it, then we needed to edit the ‘ssl.conf’ configuration file and uncomment the following line.

SSLCertificateChainFile /etc/httpd/ssl/ca.crt

So the Apache web server can find your CA certificate.

Test the Apache configuration

# /etc/init.d/httpd configtest
Syntax OK

Restart the Apache service for the changes to take effect

# service httpd restart

Open https://mydomain1.com and https://mymydomain2.com in your favorite web browser and verify that SSL certificates are installed correctly.

After this setup and restarting Apache, you can access http’s site with a browser that supports SNI. If you have setup correctly, then you will be able to access the site without any warnings or problems. You can add as many as websites or SSL Certificates as you need to use the above process.

Advertisements