Apache – Configuring SSL VirtualHosts on a Single IP with UCC/SAN Certificate

apache-2.2certificatesslvirtualhost

I need to host several Apache virtual hosts with SSL from a single IP.

Now – I understand that because SSL wraps around the HTTP request, there's no way to know which host is being requested until a public key has been sent to the client first. This essentially breaks the possibility of SSL virtual hosts using a standard SSL certificate.

I have obtained a Unified Communications Certificate (UCC), otherwise known as a Subject Alternative Name (SAN) certificate. This allows me to serve the same certificate for multiple domains.

I would like this to be the certificate served by Apache for any SSL request – and then have Apache resolve the virtual host as usual, once the encryption has been established.

How should I configure Apache for this? I have tried to research how this can be done, but all I can find are quotes which say that it is possible, but no specifics:

wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

While Apache can renegotiate the SSL
connection later after seeing the
hostname in the request (and does),
that's too late to pick the right
server certificate to use to match the
request hostname during the initial
handshake, resulting in browser
warnings/errors about certificates
having the wrong hostname in them.

serverfault.com/questions/48334/apache-virtual-hosts-with-ssl

Incidentally, it is possible to have
multiple SSL-secured named virtual
hosts on a single IP address – I do it
on my website – but it produces all
sorts of warnings in the Apache logs,
and certificate warnings in the
browser. I certainly wouldn't
recommend it for a production site
that needs to look clean.
-David Jul 31 at 4:58

www.digicert.com/subject-alternative-name.htm

Virtual Host Multiple SSL sites on a single
IP address. Hosting multiple
SSL-enabled sites on a single server
typically requires a unique IP address
per site, but a certificate with
Subject Alternative Names can solve
this problem. Microsoft IIS 6 and
Apache are both able to Virtual Host
HTTPS sites using Unified
Communications SSL, also known as SAN
certificates.

Please help.

Best Answer

I tested this on my apache 2.2.14 instance and it worked fine:

Use the NameVirtualHost directive (to ports.conf):

NameVirtualHost *:443

define your vhosts:

<VirtualHost *:443>
  ServerName www.siteA.com
  DocumentRoot "/opt/apache22/htdocs/siteA"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>
<VirtualHost *:443>
  ServerName www.siteB.com
  DocumentRoot "/opt/apache22/htdocs/siteB"
  SSLCertificateFile "/path/to/my/cert"
  SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>

I used this link as a resource.

Related Topic