How To Set Up Multiple SSL Host With A Single Apache Server

serverHTTPComputer Network

In this article, we will show you how to set up multiple SSL Certificates on a CentOS with Apache using a single IP address only. In general, a website administrator is restricted to use a single SSL Certificate per socket with an IP which will cost a lot of investment to the company. This restriction may lead them to buy multiple IP addresses for HTTP’s websites for their domain hosting or buy hardware that allows them to utilize multiple network adapters.

This is allowed by an extension to the SSL protocol called Server Name Indication (SNI). Most current desktops and mobile web browsers support SNI. The main benefit of using SNI is the ability to secure multiple websites without purchasing more IP addresses.

Configuration

Make sure the mod_ssl security module is installed and enabled so the Apache web server can use the OpenSSL library and toolkit:

# yum install mod_ssl openssl

Execute the Below Commands

# mkdir -p /etc/httpd/ssl/
# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
# cd /etc/httpd/ssl/

Generating SSL Certificate Signing Requesting Files for your Domains

# openssl genrsa -out mydomain1.key 2048
# openssl req -new -key mydomain1.key -out mydomain1.csr
# openssl genrsa -out domain2.key 2048
# openssl req -new -key mydomain2.key -out mydomain2.csr
Enter the following details for your certificates:
Country Name (2 letter code) [AU]:IN
State or Province Name (full name) [Some-State]:Telengana
Locality Name (eg, city) []:Hyderabad
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mydomain1.com
Organizational Unit Name (eg, section) []:mydomain.com
Common Name (e.g. server FQDN or YOUR name) []:mydomain1.com
Email Address []:sslcertificate@domain1.com

It is recommended to install commercial SSL certificates when we are deploying in a production environment. Or, we just generate self-signed SSL certificate which is used for development purpose or staging a website using the below commands

# openssl x509 -req -days 365 -in mydomain1.csr -signkey mydomain1.key -out domain1.crt
# openssl x509 -req -days 365 -in mydomain2.csr -signkey mydomain2.key -out mydomain2.crt

Editing the ‘ssl.conf’ Apache Configuration File

# vi /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443
   SSLPassPhraseDialog builtin
   SSLSessionCacheTimeout 300
   SSLMutex default
   SSLRandomSeed startup file:/dev/urandom 256
   SSLRandomSeed connect builtin
   SSLCryptoDevice builtin
   SSLStrictSNIVHostCheck off
<VirtualHost *:443>
   DocumentRoot /var/www/html/mydomain1
   ServerName mydomain1.com
   ServerAlias www.mydomain1.com
   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
   SSLCertificateFile /etc/httpd/ssl/mydomain1.cr
   SSLCertificateKeyFile /etc/httpd/ssl/mydomain1.key
   ErrorLog logs/ssl_error_log
   TransferLog logs/ssl_access_log
   LogLevel warn
   <Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
   </Files>
   SetEnvIf User-Agent ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   downgrade-1.0 force-response-1.0
   CustomLog logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:443>
   DocumentRoot /var/www/html/mydomain2
   ServerName mydomain2.com
   ServerAlias www.mydomain2.com
   SSLEngine on
   SSLProtocol all -SSLv2
   SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
   SSLCertificateFile /etc/httpd/ssl/mydomain2.crt
   SSLCertificateKeyFile /etc/httpd/ssl/mydomain2.key
   ErrorLog logs/ssl_error_log
   TransferLog logs/ssl_access_log
   LogLevel warn
   <Files ~ "\.(cgi|shtml|phtml|php3?)$">
   SSLOptions +StdEnvVars
   </Files>
   SetEnvIf User-Agent ".*MSIE.*" \
   nokeepalive ssl-unclean-shutdown \
   Downgrade-1.0 force-response-1.0
   CustomLog logs/ssl_request_log \
   "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

When we are using a commercial SSL certificate, it is likely that, the signing authority will include an intermediate CA certificate. In that case, we create a new ‘/etc/httpd/ssl/ca.crt’ file and paste the contents of the Intermediate CA into it, then we needed to edit the ‘ssl.conf’ configuration file and uncomment the following line.

SSLCertificateChainFile /etc/httpd/ssl/ca.crt

So the Apache web server can find your CA certificate.

Test the Apache configuration

# /etc/init.d/httpd configtest
Syntax OK

Restart the Apache service for the changes to take effect

# service httpd restart

Open https://mydomain1.com and https://mymydomain2.com in your favorite web browser and verify that SSL certificates are installed correctly.

After this setup and restarting Apache, you can access http’s site with a browser that supports SNI. If you have setup correctly, then you will be able to access the site without any warnings or problems. You can add as many as websites or SSL Certificates as you need to use the above process.

raja
Published on 20-Jan-2020 15:37:35
Advertisements