Tutorial

How To Set Up Multiple SSL Certificates on One IP with Apache on Ubuntu 12.04

Published on October 19, 2012
How To Set Up Multiple SSL Certificates on One IP with Apache on Ubuntu 12.04

Status: Deprecated

This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:

Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.

See Instead:
This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.

You can host multiple SSL certificates on one IP Address using Server Name Indication (SNI).

About SNI

Although hosting several sites on a single virtual private server is not a challenge with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has recently been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.

Note:

SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.

Set Up

SNI does need to have registered domain names in order to serve the certificates.

The steps in this tutorial require the user to have root privileges. You can see how to set that up in the Initial Server Setup Tutorial in steps 3 and 4.

Apache should already be installed and running on your VPS. If this is not the case, you can download it with this command:

sudo apt-get install apache2

Step One—Create Your SSL Certificates

For the purposes of this tutorial, both certificates will be self-signed. We will be working to create a server that hosts both example.com and example.org.

The SSL certificate has 2 parts main parts: the certificate itself and the public key. To make all of the relevant files easy to access, we should create a directory for each virtual host’s SSL certificate.

mkdir -p /etc/apache2/ssl/example.com
mkdir -p /etc/apache2/ssl/example.org

Step Two— Activate the SSL Module

The next step is to enable SSL on the droplet.

sudo a2enmod ssl

Follow up by restarting Apache.

sudo service apache2 restart

Step Three—Create a Self Signed SSL Certificate

When we request a new certificate, we can specify how long the certificate should remain valid by changing the 365 to the number of days we prefer. As it stands this certificate will expire after one year.

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.com/apache.key –out /etc/apache2/ssl/example.com/apache.crt

With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of them into the new directory.

This command will prompt terminal to display a lists of fields that need to be filled in.

The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:NYC
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc
Organizational Unit Name (eg, section) []:Dept of Merriment
Common Name (e.g. server FQDN or YOUR name) []:example.com                  
Email Address []:webmaster@awesomeinc.com

Then go ahead and take the same steps for the second (example.org) domain:

sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.org/apache.key -out /etc/apache2/ssl/example.org/apache.crt

Step Four—Create the Virtual Hosts

Once you have the certificates saved and ready, you can add in your information in the virtual host files.

Although it’s not required, we can create two virtual host files to store virtual host information in separate files, copying the configuration from the default virtual host file.

sudo nano /etc/apache2/sites-available/example.com
sudo nano /etc/apache2/sites-available/example.org

Go ahead and open up each file and paste in the configuration below. This configuration is a simplified version of two separate configuration files: the default virtual server configuration file found at /etc/apache2/sites-available/default and the default SSL configuration located in /etc/apache2/sites-available/default-ssl.

Additionally, this configuration includes an important change that facilitates multiple SSL certificates. Whereas the default SSL configuration has the following line, specifying a certificate as the default one for the server,

<VirtualHost _default_:443>

the configuration below does not have a reference to a default certificate. This is key.

Overall, the default configuration files offer a variety of useful directives and additional configuration options that you can add to the virtual host. However, the following information will provide the server everything it needs to set up multiple SSL certificates on one IP address.

<VirtualHost *:80>
        ServerAdmin webmaster@localhost
        ServerName example.com
        DocumentRoot /var/www

</VirtualHost>


<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin webmaster@localhost
        ServerName example.com
        DocumentRoot /var/www

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
        SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key
</VirtualHost>

</IfModule>

There are a few lines in these configuration files that need to be customized.

  • ServerAdmin: This is simply your webmaster’s email address
  • ServerName: This is your domain name. Make sure that you write it in without a prepended www.
  • DocumentRoot: This is the directory where you keep your site information. Currently it points to the apache default directory. You will probably have different server roots for the 2 different virtual hosts.
  • SSLCertificateFile: This directive points to the location of the certificate file. The certificate for each site is stored in the directory that we created earlier in the tutorial.
  • SSLCertificateKeyFile : This directive points to the location of the certificate key. The certificate key for each site is stored in the directory that we created earlier in the tutorial.

Set up both domains’ configurations. We still have more step before the separate SSL certificates will work on both servers.

Step Five—Edit the ports.conf file

The final step required to make sure that multiple certificates work on one VPS is to tell the server to listen on port 443. Add the bolded line to the apache ports configuration file.

sudo nano /etc/apache2/ports.conf 
NameVirtualHost *:80
NameVirtualHost *:443

Listen 80

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to 
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Step Six—Activate the Virtual Hosts

The last step is to activate the hosts. Apache makes activating and deactivating hosts very easy.
sudo a2ensite example.com
sudo a2ensite example.org

(You can deactivate virtual hosts with the command: sudo a2dissite example.com)

With all of the virtual hosts in enabled, restart apache.

sudo service apache2 restart

You should now be able to access both sites, each with its own domain name and SSL certificate.

You can view the sites both with and without the signed SSL certificates by typing in just the domain (eg. example.com or example.org) or the domain with the https prefix (https://example.com or https://example.org).

By Etel Sverdlov

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Problem with step 3? Step Three—Create a Self Signed SSL Certificate

The dash in front of “-out”, caused me a problem. I removed and added in a dash and it fixed an error I experienced.

Error: “unknown option –out” –out /etc/apache2/ssl/example.com/apache.crt –out /etc/apache2/ssl/example.org/apache.crt

Changed to: -out /etc/apache2/ssl/example.com/apache.crt -out /etc/apache2/ssl/example.org/apache.crt

Again, notice the dash in front of out, “-out”.

I find myself obliged to warn those to copy-paste the first openssl console command from step 3 that it will return an error described as “unknown option –out”

It is due to the use of a dash symbol right before “out” that is different from the regular dash. So if you copypasted this command you will have to mannually replace that dash with the regular one. I was becoming crazy until I found the solution at:

https://serverfault.com/questions/300842/openssl-keeps-giving-me-unknown-option-errors

Lots of thanks anyway to Etel Severdlov for this amazing tutorial.

when setting two virtual host with different ssl certificates. setting up SSLCertificateChainFile is also important in order to android and other devices work with https apis.

Following this tutorial. browsers works fine and respective ssl certificates appears in green locks of address bar.

but when checking with command openssl s_client -connect second.my_domain.com:443 it returns chain certificates of my first virtual host configured first.my_domain.com

So i am facing issue in setting properly intermediate certificates of multiple ssl with respective intermediate certificates on one ip.

Let me know if you need more info. like conf file

Anyone knows if this is possible using Virtualmin?

In an earlier comment it was pointed out that the dash character was wrong in the code for the generation of the .key and .crt file and this has not been corrected

Couple of items to note.

  1. On Ubuntu 14.04 you don’t need to do anything with ports.conf. In fact if you do you’ll get a warning on restart about NameVirtualHost being removed in the future.
  2. If you want your logs for the vhost going to a specific file (in my config I explicitly set the file names) remember to add that same config to the 443 host.
  3. If you only want the vhost running on port 443 then don’t add a new section as noted above. Just change the :*80 to :*443 in the VirtualHost tag and add the SSL configuration bits…don’t create a new VirtualHost tag.

Can I follow this process for CentOS 7 SNI installation?

as of now my virtual hosts allow both 80 and 443, how can i force them to use 443 only?

On Ubuntu 14.04.1 x64 bit [below steps worked for me] ** generate certificates for site example.com**

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.com/apache.key -out /etc/apache2/ssl/example.com/apache.crt

generate certificates for site example.org

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.org/apache.key -out /etc/apache2/ssl/example.org/apache.crt ##Virtual Host Configuration <note: the vhost file should have .conf extension###

root@server1:/etc/apache2/sites-available# vim example.com.conf <VirtualHost *:80> ServerAdmin webmaster@localhost ServerName example.org DocumentRoot /var/www/html/example.org

</VirtualHost>

<IfModule mod_ssl.c> <VirtualHost *:443>

    ServerAdmin webmaster@localhost
    ServerName example.org
    DocumentRoot /var/www/html/example.org

    #   SSL Engine Switch:
    #   Enable/Disable SSL for this virtual host.
    SSLEngine on

    SSLCertificateFile /etc/apache2/ssl/example.org/apache.crt
    SSLCertificateKeyFile /etc/apache2/ssl/example.org/apache.key

</VirtualHost>

</IfModule> ** #Configure ports** #cat /etc/apache2/ports.conf

NameVirtualHost *:80 NameVirtualHost *:443 Listen 80

<IfModule ssl_module> Listen 443 </IfModule>

<IfModule mod_gnutls.c> Listen 443 </IfModule> #Enable sites# a2ensite example.com a2ensite example.org

Hi Friends,

Is multiple SSL with single IP for different multiple domains supporting to all browsers ? My server is ubuntu 12.10.

Will it work ?

Regards,

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.