Using SNI to host multiple SSL certificates in Apache

---

Server Name Identification (SNI) is an extension of the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocol that enables you to host multiple SSL certificates on a single unique Internet Protocol (IP) address. This article describes how to use SNI to host multiple SSL certificates in Apache®.

Prerequisites

Your server must meet the following requirements to use SNI:

• Apache v2.2.12 or later
• OpenSSL® v 0.9.8j or later
• mod_ssl must be installed

The following operating systems support SNI without additional modifications:

• Red Hat® Enterprise Linux® (RHEL) 6 and later
• Fedora® 10 and later
• CentOS® 6
• Debian® 6 and later
• Ubuntu® 10.04 and later

The following operating systems require Apache, OpenSSL, and mod_ssl to be compiled with proper versions:

• Red Hat Enterprise Linux 5
• Centos 5

Check that mod_ssl is installed

Before you use SNI, check that mod_ssl is installed by running the following command:

RHEL, CentOS, and Fedora

yum list installed | grep mod_ssl

Debian and Ubuntu operating systems

dpkg -s apache2.2-common

If mod_ssl is not installed, use the following command to install it:

RHEL, CentOS, and Fedora

yum install mod_ssl

Debian and Ubuntu operating systems

For Debian and Ubuntu operating systems, install mod_ssl by using the following command:

 apt-get install apache2.2-common

Then enable the module by running a2enmod ssl; /etc/init.d/apache2 reload.

Set up vhosts

Add the following lines in your root Apache configuration file (apache2.conf or httpd.conf):

# Ensure that Apache listens on port 443
Listen 443

# Listen for virtual host requests on all IP addresses
NameVirtualHost *:443

# Accept connections for these vhosts from non-SNI clients
SSLStrictSNIVHostCheck off

In the vhost configuration file for each site, you must add your virtual host configuration. It should look similar to the following examples:

First vhost:

<VirtualHost *:443>

 ServerName www.yoursite.com

 DocumentRoot /var/www/site

 SSLEngine on

 SSLCertificateFile /path/to/www_yoursite_com.crt

 SSLCertificateKeyFile /path/to/www_yoursite_com.key

 SSLCertificateChainFile /path/to/DigiCertCA.crt

</Virtual Host>

Second vhost:

<VirtualHost *:443>

 ServerName www.yoursite2.com

 DocumentRoot /var/www/site2

 SSLEngine on

 SSLCertificateFile /path/to/www_yoursite2_com.crt

 SSLCertificateKeyFile /path/to/www_yoursite2_com.key

 SSLCertificateChainFile /path/to/DigiCertCA.crt

</Virtual Host>

You can test the configuration with a self-signed certificate by using the following command:

openssl req -new -nodes -keyout mykey.key -out mycert.cer -days 3650 -x509

Specify the domain name in the Common Name section, and then restart Apache.

Supported browsers

SNI is supported by most browsers, however older browsers such as Internet Explorer® 6 and any Windows® XP® browser do not support SNI.

Desktop browsers

• Internet Explorer 7 and later

• Firefox® 2 and later

• Opera 8 with TLS 1.1 enabled

• Google Chrome®:

  • Supported on Windows XP on Chrome 6 and later
  • Supported on Vista and later by default
  • Supported on OS X 10.5.7 in Chrome Version 5.0.342.0 and later

• Chromium® 11.0.696.28 and later

• Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later).

Note: No versions of Internet Explorer on Windows XP support SNI.

Mobile browsers

• Mobile Safari for iOS 4.0 and later
• Android 3.0 (Honeycomb) and later
• Windows Phone 7 and later

Unsupported browsers

Unsupported browsers load the SSL certificate of the first vhost that Apache loads. You can display a 403 error instead by adding the following line to the Apache configuration file (apache2.conf, or httpd.conf):

SSLStrictSNIVHostCheck on