System StatusPortal Login

Using SNI to host multiple SSL certificates in Apache

Suggest Edits

Server Name Identification (SNI) is an extension of the Secure Socket Layer (SSL) and Transport
Layer Security (TLS) protocol that enables you to host multiple SSL certificates on a single
unique Internet Protocol (IP) address. This article describes how to use SNI to host multiple
SSL certificates in Apache®.

Prerequisites

Your server must meet the following requirements to use SNI:

  • Apache v2.2.12 or later
  • OpenSSL® v 0.9.8j or later
  • mod_ssl must be installed

The following operating systems support SNI without additional modifications:

  • Red Hat® Enterprise Linux® (RHEL) 6 and later
  • Fedora® 10 and later
  • CentOS® 6
  • Debian® 6 and later
  • Ubuntu® 10.04 and later

The following operating systems require Apache, OpenSSL, and mod_ssl to be compiled
with proper versions:

  • Red Hat Enterprise Linux 5
  • Centos 5

Check that mod_ssl is installed

Before you use SNI, check that mod_ssl is installed by running the following command:

RHEL, CentOS, and Fedora

yum list installed | grep mod_ssl

Debian and Ubuntu operating systems

dpkg -s apache2.2-common

If mod_ssl is not installed, use the following command to install it:

RHEL, CentOS, and Fedora

yum install mod_ssl

Debian and Ubuntu operating systems

For Debian and Ubuntu operating systems, install mod_ssl by using the following command:

 apt-get install apache2.2-common

Then enable the module by running a2enmod ssl; /etc/init.d/apache2 reload.

Set up vhosts

Add the following lines in your root Apache configuration file (apache2.conf or httpd.conf):

# Ensure that Apache listens on port 443
Listen 443

# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# Accept connections for these vhosts from non-SNI clients
SSLStrictSNIVHostCheck off

In the vhost configuration file for each site, you must add your virtual host configuration. It
should look similar to the following examples:

First vhost:

<VirtualHost *:443>

 ServerName www.yoursite.com

 DocumentRoot /var/www/site

 SSLEngine on

 SSLCertificateFile /path/to/www_yoursite_com.crt

 SSLCertificateKeyFile /path/to/www_yoursite_com.key

 SSLCertificateChainFile /path/to/DigiCertCA.crt

</Virtual Host>

Second vhost:

<VirtualHost *:443>

 ServerName www.yoursite2.com

 DocumentRoot /var/www/site2

 SSLEngine on

 SSLCertificateFile /path/to/www_yoursite2_com.crt

 SSLCertificateKeyFile /path/to/www_yoursite2_com.key

 SSLCertificateChainFile /path/to/DigiCertCA.crt

</Virtual Host>

You can test the configuration with a self-signed certificate by using the following
command:

openssl req -new -nodes -keyout mykey.key -out mycert.cer -days 3650 -x509

Specify the domain name in the Common Name section, and then restart Apache.

Supported browsers

SNI is supported by most browsers, however older browsers such as Internet Explorer® 6
and any Windows® XP® browser do not support SNI.

Desktop browsers

  • Internet Explorer 7 and later

  • Firefox® 2 and later

  • Opera 8 with TLS 1.1 enabled

  • Google Chrome®:

    • Supported on Windows XP on Chrome 6 and later
    • Supported on Vista and later by default
    • Supported on OS X 10.5.7 in Chrome Version 5.0.342.0 and later

  • Chromium® 11.0.696.28 and later

  • Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).

Note: No versions of Internet Explorer on Windows XP support SNI.

Mobile browsers

  • Mobile Safari for iOS 4.0 and later
  • Android 3.0 (Honeycomb) and later
  • Windows Phone 7 and later

Unsupported browsers

Unsupported browsers load the SSL certificate of the first vhost that Apache loads. You can
display a 403 error instead by adding the following line to the Apache configuration file
(apache2.conf, or httpd.conf):

SSLStrictSNIVHostCheck on

Updated 5 months ago