Data Structure
Networking
RDBMS
Operating System
Java
MS Excel
iOS
HTML
CSS
Android
Python
C Programming
C++
C#
MongoDB
MySQL
Javascript
PHP
- Selected Reading
- UPSC IAS Exams Notes
- Developer's Best Practices
- Questions and Answers
- Effective Resume Writing
- HR Interview Questions
- Computer Glossary
- Who is Who
Set Up Multiple SSL Hosts with a Single Apache Server
In this article, we will show you how to set up multiple SSL Certificates on a CentOS with Apache using a single IP address only. In general, a website administrator is restricted to use a single SSL Certificate per socket with an IP which will cost a lot of investment to the company. This restriction may lead them to buy multiple IP addresses for HTTP’s websites for their domain hosting or buy hardware that allows them to utilize multiple network adapters.
This is allowed by an extension to the SSL protocol called Server Name Indication (SNI). Most current desktops and mobile web browsers support SNI. The main benefit of using SNI is the ability to secure multiple websites without purchasing more IP addresses.
Configuration
Make sure the mod_ssl security module is installed and enabled so the Apache web server can use the OpenSSL library and toolkit:
# yum install mod_ssl openssl
Execute the Below Commands
# mkdir -p /etc/httpd/ssl/ # mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak # cd /etc/httpd/ssl/
Generating SSL Certificate Signing Requesting Files for your Domains
# openssl genrsa -out mydomain1.key 2048 # openssl req -new -key mydomain1.key -out mydomain1.csr # openssl genrsa -out domain2.key 2048 # openssl req -new -key mydomain2.key -out mydomain2.csr Enter the following details for your certificates: Country Name (2 letter code) [AU]:IN State or Province Name (full name) [Some-State]:Telengana Locality Name (eg, city) []:Hyderabad Organization Name (eg, company) [Internet Widgits Pty Ltd]:mydomain1.com Organizational Unit Name (eg, section) []:mydomain.com Common Name (e.g. server FQDN or YOUR name) []:mydomain1.com Email Address []:[email protected]
It is recommended to install commercial SSL certificates when we are deploying in a production environment. Or, we just generate self-signed SSL certificate which is used for development purpose or staging a website using the below commands
# openssl x509 -req -days 365 -in mydomain1.csr -signkey mydomain1.key -out domain1.crt # openssl x509 -req -days 365 -in mydomain2.csr -signkey mydomain2.key -out mydomain2.crt
Editing the ‘ssl.conf’ Apache Configuration File
# vi /etc/httpd/conf.d/ssl.conf
LoadModule ssl_module modules/mod_ssl.so
Listen 443
NameVirtualHost *:443
SSLPassPhraseDialog builtin
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off
<VirtualHost *:443>
DocumentRoot /var/www/html/mydomain1
ServerName mydomain1.com
ServerAlias www.mydomain1.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/mydomain1.cr
SSLCertificateKeyFile /etc/httpd/ssl/mydomain1.key
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/html/mydomain2
ServerName mydomain2.com
ServerAlias www.mydomain2.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/mydomain2.crt
SSLCertificateKeyFile /etc/httpd/ssl/mydomain2.key
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
Downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
When we are using a commercial SSL certificate, it is likely that, the signing authority will include an intermediate CA certificate. In that case, we create a new ‘/etc/httpd/ssl/ca.crt’ file and paste the contents of the Intermediate CA into it, then we needed to edit the ‘ssl.conf’ configuration file and uncomment the following line.
SSLCertificateChainFile /etc/httpd/ssl/ca.crt
So the Apache web server can find your CA certificate.
Test the Apache configuration
# /etc/init.d/httpd configtest Syntax OK
Restart the Apache service for the changes to take effect
# service httpd restart
Open https://mydomain1.com and https://mymydomain2.com in your favorite web browser and verify that SSL certificates are installed correctly.
After this setup and restarting Apache, you can access http’s site with a browser that supports SNI. If you have setup correctly, then you will be able to access the site without any warnings or problems. You can add as many as websites or SSL Certificates as you need to use the above process.
4K+ Views
