How to setup multiple domain names with SSL on one IP address
What is SNI (Server Name Indication) ?
Usually, an HTTPS server can only serve one domain (or small group of domains) per IP address for secured browsing. Since the IP 4 address space is nearly used up, SNI was introduced as an extension to the TLS protocol. SNI can send the name of the virtual domain as part of the TLS negotiation. This enables the server to select the correct virtual domain early and present the browser with the certificate containing the correct name. SNI therefor allows more than one ssl secured domain name to use the same IP address for virtual hosting.Is SNI the perfect choice to run multiple SSL secured vhosts with one IP address ?
Unfortunately – NO. Although SNI has the advantage of serving multiple HTTPS domain names on one IP address we do not recommend using SNI at this time as many old browsers do not support it.Nearly 25% of all internet users still use Windows XP as their platform [1] – and Windows XP does not support SNI. So you may lock out a huge part of your visitors as they cannot connect with your server.
Is there an alternative to SNI ?
Yes ! Multi Domain SSL Certificates (aka SAN (Subject Alternative Name) or Unified Communication (UC) Certificates) solve that issue. Multi Domain SSL Certificates enable you to secure multiple domain names with one single SSL certificate sharing the same IP address. You may secure www.example.net + shop.example.us + mail.anotherdomain.com with only one Multi-Domain SSL certificate.Multi Domain SSL Certificates are available as low as $69 per year:
https://www.sslpoint.com/multi-domain-ssl-certificates/
UCC Certificates for Exchange Server and OCS are as low as $69 per year:
https://www.sslpoint.com/exchange-ssl-certificates/
How to setup Apache without SNI ?
To setup Apache virtual hosts without SNI you need to setup your vhosts as IP-based virtual hosts:1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 | NameVirtualHost 123.123.123.123:443 <VirtualHost 123.123.123.123:443> ServerName dev.example.net DocumentRoot /var/www/dev.example.net SSLEngine on SSLCertificateFile /etc/ssl/certs/example.net.crt SSLCertificateKeyFile /etc/ssl/private/example.net.key SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt </VirtualHost> <VirtualHost 123.123.123.123:443> ServerName test1.example.net DocumentRoot /var/www/test1.example.net SSLEngine on SSLCertificateFile /etc/ssl/certs/example.net.crt SSLCertificateKeyFile /etc/ssl/private/example.net.key SSLCACertificateFile /etc/ssl/certs/ca-comodo.crt </VirtualHost> <VirtualHost 123.123.123.123:443> ServerName test2.example.net DocumentRoot /var/www/test2.example.net SSLEngine on SSLCertificateFile /etc/ssl/certs/example.net.crt SSLCertificateKeyFile /etc/ssl/private/example.net.key SSLCACertificateFile /etc/ssl/certs/ca-comodo.crt </VirtualHost> |
NameVirtualHost 123.123.123.123:443 <VirtualHost 123.123.123.123:443> ServerName dev.example.net DocumentRoot /var/www/dev.example.net SSLEngine on SSLCertificateFile /etc/ssl/certs/example.net.crt SSLCertificateKeyFile /etc/ssl/private/example.net.key SSLCACertificateFile /etc/ssl/certs/ca-bundle.crt </VirtualHost> <VirtualHost 123.123.123.123:443> ServerName test1.example.net DocumentRoot /var/www/test1.example.net SSLEngine on SSLCertificateFile /etc/ssl/certs/example.net.crt SSLCertificateKeyFile /etc/ssl/private/example.net.key SSLCACertificateFile /etc/ssl/certs/ca-comodo.crt </VirtualHost> <VirtualHost 123.123.123.123:443> ServerName test2.example.net DocumentRoot /var/www/test2.example.net SSLEngine on SSLCertificateFile /etc/ssl/certs/example.net.crt SSLCertificateKeyFile /etc/ssl/private/example.net.key SSLCACertificateFile /etc/ssl/certs/ca-comodo.crt </VirtualHost>
Reference:
[1] Usage Share Windows XP as of August 2014: 23.89%
http://en.wikipedia.org/wiki/Usage_share_of_operating_systems