Install Multiple SSL Certificates in Apache Web Server

  1. Generate the server key:
    # openssl genrsa -out /etc/ssl/private/abc.com.key 4096
  2. Generate and self-sign the certificate:
    # openssl req -new -key /etc/ssl/private/abc.com.key -x509 -out /etc/ssl/certs/abc.com.crt -days 7000
    Country Name (2 letter code) [AU]:MY
    State or Province Name (full name) [Some-State]:Kuala Lumpur
    Locality Name (eg, city) []:Kuala Lumpur
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:ABC Ltd
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:abc.com
    Email Address []:admin@abc.com
  3. Repeat Step 1 and 2 for another domain name:
    # openssl genrsa -out /etc/ssl/private/xyz.com.key 4096
    # openssl req -new -key /etc/ssl/private/xyz.com.key -x509 -out /etc/ssl/certs/xyz.com.crt -days 7000
    Country Name (2 letter code) [AU]:MY
    State or Province Name (full name) [Some-State]:Kuala Lumpur
    Locality Name (eg, city) []:Kuala Lumpur
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:XYZ Ltd
    Organizational Unit Name (eg, section) []:
    Common Name (eg, YOUR name) []:xyz.com
    Email Address []:admin@xyz.com
  4. Configure Apache to host two domains using different certificates:
    <VirtualHost 192.168.100.1:443>
    ServerName abc.com
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/abc.com.crt
    SSLCertificateKeyFile /etc/ssl/private/abc.com.key
    ....
    </VirtualHost>
    <VirtualHost 192.168.100.2:443>
    ServerName xyz.com
    SSLEngine on
    SSLCertificateFile    /etc/ssl/certs/xyz.com.crt
    SSLCertificateKeyFile /etc/ssl/private/xyz.com.key
    ....
    </VirtualHost>
  5. Enable SSL module:
    # cd /etc/apache2/mods-enabled/
    # ln -s ../mods-available/ssl.conf
    # ln -s ../mods-available/ssl.load
    # /etc/init.d/apache2 restart

Note:

  • Each IP address can only be configured with one certificate.  For the example above:
    • abc.com=192.168.100.1
    • xyz.com=192.168.100.2
  • In step 2, the “common name” must refer to the domain name of the web site.  If a different name is given, you’ll get a certificate error message like the following:  “Certificate belongs to a different site, which could indicate an identity theft”.
  • I’m using Debian for the above example.

5 responses to “Install Multiple SSL Certificates in Apache Web Server

  1. jack wong May 19, 2011 at 4:54 pm

    you using 1 or 2 public address for your situation above? abc,com and xyz.com’s traffic come from same public ip address?

    abc.com=192.168.100.1
    xyz.com=192.168.100.2

    • wenlong May 19, 2011 at 5:18 pm

      My post has clearly stated that “Each IP address can only be configured with one certificate”, which means two IP addresses were used.

      • jack wong May 19, 2011 at 5:59 pm

        Hi Wen Long,

        Ya, i know you are using 2 private IP (virtual IP) but is that you’re using only one public address like 175.180.25.36 ? and forward the traffic to 192.168.100.1 and 192.168.100.2 respectively?

      • wenlong May 19, 2011 at 6:52 pm

        I’m afraid that’s not possible. HTTPS traffic is encrypted (including all HTTP headers), the front-end server in your example will not know which internal server to forward the traffic to. This is the reason why I said “each IP address can only have one certificate”.

  2. jack wong May 20, 2011 at 10:17 am

    Ya, i think that is not possible … but i think if we use SNI method it can be work but not perfect enough. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: