How To Set Up Multiple SSL Certificates On a CentOS VPS With Apache Using One IP Address

Leave reply

sniIn this tutorial we will show you how to set up multiple SSL Certificates on a CentOS VPS with Apache using one IP address only.

This is allowed by an extension to the SSL protocol called Server Name Indication (SNI). Most current desktop and mobile web browsers support SNI. The main benefit of using SNI is the ability to secure multiple websites without purchasing more IP addresses.

Make sure the mod_ssl security module is installed and enabled so the Apache web server can use the OpenSSL library and toolkit:

yum install mod_ssl openssl

Execute the following commands:

mkdir -p /etc/httpd/ssl/
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak 
cd /etc/httpd/ssl/

Generate SSL certificate signing request (CSR) files for your domains:

openssl genrsa -out domain1.key 2048
openssl req -new -key domain1.key -out domain1.csr

openssl genrsa -out domain2.key 2048
openssl req -new -key domain2.key -out domain2.csr

and enter the following details for your certificates:

  • Country Name
  • State or Province Name
  • Locality Name
  • Organization Name
  • Organizational Unit Name
  • Email Address

When prompted for the Common Name (i.e. domain name), enter the FQDN (fully qualified domain name) for the website you are securing.

It is recommended to install commercial SSL certificates when used in a production environment. Or, generate and use self-signed SSL certificates when you are just developing or testing a website or application using the following commands:

openssl x509 -req -days 365 -in domain1.csr -signkey domain1.key -out domain1.crt

openssl x509 -req -days 365 -in domain2.csr -signkey domain2.key -out domain2.crt

Edit the ‘ssl.conf’ Apache configuration file:

vi /etc/httpd/conf.d/ssl.conf

and add the following lines:

LoadModule ssl_module modules/mod_ssl.so

Listen 443

NameVirtualHost *:443

SSLPassPhraseDialog  builtin
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off

<VirtualHost *:443>
DocumentRoot /var/www/html/domain1
ServerName domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/domain1.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain1.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName domain2.com
ServerAlias www.domain2.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/domain2.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain2.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

When using a commercial SSL certificate, it is likely the signing authority will include an intermediate CA certificate. In that case, create a new ‘/etc/httpd/ssl/ca.crt’ file and paste the contents of the Intermediate CA into it, then edit the the ‘ssl.conf’ configuration file and uncomment the following line:

SSLCertificateChainFile /etc/httpd/ssl/ca.crt

so the Apache web server can find your CA certificate.

Test the Apache configuration:

/etc/init.d/httpd configtest

Syntax OK

Restart the Apache service for the changes to take effect:

service httpd restart

Open https://domain1.com and https://domain2.com in your favorite web browser and verify that SSL certificates are installed correctly.

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to set up multiple SSL Certificates on your VPS for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

One Response to “How To Set Up Multiple SSL Certificates On a CentOS VPS With Apache Using One IP Address”

  1. Admin

    People should be aware that Windows XP doesn’t support SNI.

    Reply

Leave a Reply