About the TLS Extension Server Name Indication (SNI)
When website administrators and IT personnel are restricted to use a single SSL Certificate per socket (combination of IP Address and socket) it can cost a lot of money. This restriction causes them to buy multiple IP addresses for regular https websites from their domain host or buy hardware that allows them to utilize multiple network adapters.
However, with Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious—you can secure more websites without purchasing more IP addresses or additional hardware.
Since this is a fairly recent update with Apache, browsers are only recently supporting SNI. Most current major desktop and mobile browsers support SNI. One notable exception is that no versions of Internet Explorer on Windows XP support SNI.
Setting up SNI with Apache
To use additional SSL Certificates on your server you need to create another Virtual Host. As a best practice, we recommend making a backup of your existing .conf file before proceeding. You can create a new Virtual Host in your existing .conf file or you can create a new .conf file for the new Virtual Host. If you create a new .conf file, add the following line to your existing .conf file:
Next, in the NameVirtualHost directive list your server’s public IP address, *:443, or other port you’re using for SSL (see example below).
Then point the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the locations of the certificate files for each website as shown below:
<namevirtualhost *:443> <virtualhost *:443> ServerName www.yoursite.com DocumentRoot /var/www/site SSLEngine on SSLCertificateFile /path/to/www_yoursite_com.crt SSLCertificateKeyFile /path/to/www_yoursite_com.key SSLCertificateChainFile /path/to/CA_CERT.crt </virtualhost> <virtualhost *:443> ServerName www.yoursite2.com DocumentRoot /var/www/site2 SSLEngine on SSLCertificateFile /path/to/www_yoursite2_com.crt SSLCertificateKeyFile /path/to/www_yoursite2_com.key SSLCertificateChainFile /path/to/CA_CERT.crt </virtualhost> </namevirtualhost>
If you have a Wildcard or UC certificate all of the websites using the same certificate need to reference the same IP address in the VirtualHost IP address:443 section like in the example below:
<virtualhost 192.168.1.1:443> ServerName www.domain.com DocumentRoot /var/www/ SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/CA_CERT.crt </virtualhost> <virtualhost 192.168.1.1:443> ServerName site2.domain.com DocumentRoot /var/www/site2 SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/CA_CERT.crt </virtualhost>
Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems. You can add as many websites or SSL Certificates as you need using the above process.