Is there a way to have all virtual servers,in Apache, use the same SSL certificate without having multiple IPs? I know that you can use a certificate on one site, per port and per IP, but can I make it work if the sites are on multiple ports?
Is there a way to have all virtual servers use the same SSL certificate without having multiple IPs?
-
duplicate: http://serverfault.com/questions/109800/multiple-ssl-domains-on-the-same-ip-address-and-same-port – Hubert Kario Jan 09 '12 at 11:01
3 Answers
Yes that is possible. The only thing each SSL certificate needs, is a unique socket (ip:port combination).
So, you have 2 options:
Multiple sockets (eg. 192.168.0.1:443,192:168.0.1:444 etc.)
Multiple subdomains, matching the same wildcard domain name.
With approach number 2, you'll need a wildcard ssl certificate. Set up any number of vhosts with unique subdomains for the domain your wildcard certificate matches, and configure the SSLEngine settings for just the first. The others will by defualt (or actually by their socket) terminate with the same ssl certificate
- 24,907
- 4
- 62
- 95
-
1Note that I'm pretty sure changing the port means all urls will have to have a port number – TheLQ Jan 09 '12 at 05:19
-
1That is correct, if ypu specify https:// without a port number, it will default to port 443, so the url will be something like `https://some.domain.tld:444/` if you choose to use eg. port 444 for an ssl vhost – Mathias R. Jessen Jan 09 '12 at 05:41
-
Options 2 will do what the OP wants. Option 1 won't help him at all, since he wants to use a single certificate. The only reason for multiple sockets would be to provide different certificates. – David Schwartz Jan 09 '12 at 10:55
-
I suspect that using a different HTTPS will quite probably create problems by some paranoid corporate firewalls. – Raúl Salinas-Monteagudo Mar 29 '21 at 20:30
What you are looking for is called Server Name Indication, it is an extension to SSL that allows the client it indicate what host it is trying to connect to before the SSL certificate is provided by the server. See the Wikipedia page for information about what browsers support it, it's somewhat recent (2004-2006), but for example XP doesn't support it.
If that won't work for you, you will probably either have to require that users specify a different port in the URL, for example https://example.com:444/pagename
as suggested by JudasIscariot1651, host all sites SSL sites under a sub-URL off a central certificate (for example https://secure.example.com/sitename.example.com/pagename
).
- 10,370
- 3
- 24
- 28
-
1He doesn't need SNI. SNI is used to provide a *different* certificate. He specifically asked about using the *same* certificate. – David Schwartz Jan 09 '12 at 10:54
-
I'll admit, I'm reading between the lines here, because theres also no specific mention of wildcard certs either, which are likely necessary if you are going to have different virtual hosts. – Sean Reifschneider Jan 10 '12 at 10:17
Yes, you can. It will "just work", provided the single certificate is valid for every name that a client will use to reach the server (wildcard certificate or multiple name certificate). You can use the same certificate on any number of IP addresses or ports.
- 31,215
- 2
- 53
- 82