As you already know only one SSL Certification can be installed on a single IP address. Today we will explain you how to set up multiple SSL Certificates with Apache on a single IP address. For this tutorial we will be using a virtual server from LVPSHosting.com

You can host multiple SSL certificates on one IP Address using the Server Name Indication (SNI) protocol. This protocol was designed for one purpose and that is the ability to secure multiple websites without purchasing more IP addresses.

For a start you will need to make sure that mod_ssl security module is installed and enabled so you can use OpenSSL library and toolkit with the Apache web server. To do that just type:

yum install mod_ssl openssl

After that you will need to execute the following commands:

mkdir -p /etc/httpd/ssl/
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak
cd /etc/httpd/ssl/

Next step is to generate a new SSL certificate signing request (CSR) files for your domains. To do that type:

openssl genrsa -out example.com.key 2048
openssl req -new -key ekample.com.key -out example.com.csr

and

openssl genrsa -out example.org.key 2048
openssl req -new -key example.org.key -out example.org.csr

and enter the following details for your certificates:

• Country Name
• State or Province Name
• Locality Name
• Organization Name
• Organizational Unit Name
• Email Address

When prompted for the Common Name (i.e. domain name), enter the FQDN (fully qualified domain name) for the website you are securing.

It is always recommended to buy an SSL Certifcatie if you want to out your web site in a production environment. You can generate and use self-signed SSL certificates when you are develop or test a website or application using the following commands:

openssl x509 -req -days 365 -in example.com.csr -signkey example.com.key -out example.com.crt

and

openssl x509 -req -days 365 -in example.org.csr -signkey example.org.key -out example.org.crt

Next, you will need to edit the ‘ssl.conf’ Apache configuration file:

nano /etc/httpd/conf.d/ssl.conf

and add the following lines:

LoadModule ssl_module modules/mod_ssl.so

Listen 443

NameVirtualHost *:443

SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off
DocumentRoot /var/www/html/example.com
ServerName example.com
ServerAlias www. example.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/example.com.crt
SSLCertificateKeyFile /etc/httpd/ssl/example.com.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
DocumentRoot /var/www/html/example.org
ServerName example.org
ServerAlias www. example.org
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/example.org.crt
SSLCertificateKeyFile /etc/httpd/ssl/example.org.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLOptions +StdEnvVars

SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

When using a commercial SSL certificate, it is likely the signing authority will include an intermediate CA certificate. In that case, create a new ‘/etc/httpd/ssl/ca.crt’ file and paste the contents of the Intermediate CA into it, then edit the the ‘ssl.conf’ configuration file and uncomment the following line:

SSLCertificateChainFile /etc/httpd/ssl/ca.crt

so the Apache web server can find your CA certificate.

You can test the Apache configuration with the following command:

/etc/init.d/httpd configtest

and if everything is ok you should get

Syntax OK

Please note that you must restart the Apache service for the changes to take effect:

service httpd restart

Open https://example.com and https://example.org in your favorite web browser and verify that SSL certificates are installed correctly.

Leave a Reply

Your email address will not be published. Required fields are marked *