Oliver Nassar

Multiple SSL Certificates on one server/IP

April 11, 2011

As I wrote in Installing SSL on AWS EC2, the steps to install an SSL Certificate on a LAMP stack were pretty straightforward once I figured them out. But installing multiple (eg. for separate subdomains/domains) is a little different.

I assumed that it would be as simple as creating a second vhost, but there is a limitation in place whereby only one SSL Certificate can be bound to a single IP. The exception to this?

Using the Server Name Indication Apache setting, you can have more than one. But with this, there are a few caveats:

  1. The server must be running Apache 2.2.12 or higher
  2. It must be using OpenSSL 0.9.8f or later
  3. OpenSSL must be built with the TLS extensions option
  4. Apache must be built against that version of OpenSSL
  5. And most importantly, this is only supported by modern browsers; this means not IE6

Therefore, the option is there to have multiple SSL Certificates operating on one server, but it comes with server-setup limitations as well as browser-support limitations.

A couple ways to get around this? If the hosts you're trying to secure are all based off the same domain, use a Wildcard or Unified Communications Certificate.

Otherwise, have all important communication (eg. login forms, signup forms) be processed via iframe's and one secure server. Other than that, your only option would be to get more IP's :(

Useful links

Apache SSLStrictSNIVHostCheck Directive
SSL with Virtual Hosts Using SNI
Configure Apache to support multiple SSL sites on a single IP address