How To Set Up Multiple SSL Host With A Single Apache Server

In this article, we will show you how to set up multiple SSL certificates on a CentOS server with Apache using a single IP address. Traditionally, website administrators were restricted to using one SSL certificate per IP address, which required purchasing multiple IP addresses for HTTPS websites or additional hardware with multiple network adapters.

This limitation is overcome by an extension to the SSL protocol called Server Name Indication (SNI). Most modern desktop and mobile web browsers support SNI, allowing you to secure multiple websites without purchasing additional IP addresses.

Prerequisites

Make sure the mod_ssl security module is installed and enabled so the Apache web server can use the OpenSSL library and toolkit:

# yum install mod_ssl openssl

Setting Up SSL Directory Structure

Create the necessary directory structure for SSL certificates and back up the default configuration:

# mkdir -p /etc/httpd/ssl/
# mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
# cd /etc/httpd/ssl/

Generating SSL Certificates

Creating Certificate Signing Requests

Generate private keys and certificate signing requests (CSRs) for your domains:

# openssl genrsa -out mydomain1.key 2048
# openssl req -new -key mydomain1.key -out mydomain1.csr
# openssl genrsa -out mydomain2.key 2048
# openssl req -new -key mydomain2.key -out mydomain2.csr

When prompted, enter the certificate details:

Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:California
Locality Name (eg, city) []:San Francisco
Organization Name (eg, company) [Internet Widgits Pty Ltd]:mydomain1.com
Organizational Unit Name (eg, section) []:IT Department
Common Name (e.g. server FQDN or YOUR name) []:mydomain1.com
Email Address []:admin@mydomain1.com

Creating Self-Signed Certificates

For development or testing purposes, generate self-signed certificates. For production environments, use commercial SSL certificates from a trusted Certificate Authority:

# openssl x509 -req -days 365 -in mydomain1.csr -signkey mydomain1.key -out mydomain1.crt
# openssl x509 -req -days 365 -in mydomain2.csr -signkey mydomain2.key -out mydomain2.crt

Configuring Apache SSL Virtual Hosts

Create the SSL configuration file with multiple virtual hosts:

# vi /etc/httpd/conf.d/ssl.conf

LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443

SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off

<VirtualHost *:443>
    DocumentRoot /var/www/html/mydomain1
    ServerName mydomain1.com
    ServerAlias www.mydomain1.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!ADH:!AECDH:!MD5
    SSLCertificateFile /etc/httpd/ssl/mydomain1.crt
    SSLCertificateKeyFile /etc/httpd/ssl/mydomain1.key
    ErrorLog logs/mydomain1_ssl_error_log
    TransferLog logs/mydomain1_ssl_access_log
    LogLevel warn
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:443>
    DocumentRoot /var/www/html/mydomain2
    ServerName mydomain2.com
    ServerAlias www.mydomain2.com
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite ECDHE+AESGCM:ECDHE+AES256:ECDHE+AES128:!ADH:!AECDH:!MD5
    SSLCertificateFile /etc/httpd/ssl/mydomain2.crt
    SSLCertificateKeyFile /etc/httpd/ssl/mydomain2.key
    ErrorLog logs/mydomain2_ssl_error_log
    TransferLog logs/mydomain2_ssl_access_log
    LogLevel warn
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    SetEnvIf User-Agent ".*MSIE.*" \
        nokeepalive ssl-unclean-shutdown \
        downgrade-1.0 force-response-1.0
</VirtualHost>

Adding Intermediate Certificate Chain

When using commercial SSL certificates, you may need to include an intermediate CA certificate. Create a CA certificate file and add the following line to your virtual host configuration:

SSLCertificateChainFile /etc/httpd/ssl/ca.crt

Testing and Deployment

Test the Apache configuration for syntax errors:

# httpd -t

Syntax OK

Restart the Apache service to apply the changes:

# systemctl restart httpd

Open https://mydomain1.com and https://mydomain2.com in your web browser to verify that the SSL certificates are installed correctly. You can add as many SSL certificates as needed using this same process.

Conclusion

Server Name Indication (SNI) enables hosting multiple SSL certificates on a single Apache server with one IP address. This approach significantly reduces infrastructure costs while providing secure HTTPS connections for multiple domains through proper virtual host configuration.