Tutorial
How To Set Up Multiple SSL Certificates on One IP with Apache on Ubuntu 12.04
Status: Deprecated
This article covers a version of Ubuntu that is no longer supported. If you are currently operate a server running Ubuntu 12.04, we highly recommend upgrading or migrating to a supported version of Ubuntu:
- Upgrade to Ubuntu 14.04.
- Upgrade from Ubuntu 14.04 to Ubuntu 16.04
- Migrate the server data to a supported version
Reason: Ubuntu 12.04 reached end of life (EOL) on April 28, 2017 and no longer receives security patches or updates. This guide is no longer maintained.
See Instead:
This guide might still be useful as a reference, but may not work on other Ubuntu releases. If available, we strongly recommend using a guide written for the version of Ubuntu you are using. You can use the search functionality at the top of the page to find a more recent version.
You can host multiple SSL certificates on one IP Address using Server Name Indication (SNI).
About SNI
Although hosting several sites on a single virtual private server is not a challenge with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has recently been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.
Note:
SNI can only be used for serving multiple SSL sites from your web server and is not likely to work at all on other daemons, such as mail servers, etc. There are also a small percentage of older web browsers that may still give certificate errors. Wikipedia has an updated list of software that does and does not support this TLS extension.
Set Up
SNI does need to have registered domain names in order to serve the certificates.
The steps in this tutorial require the user to have root privileges. You can see how to set that up in the Initial Server Setup Tutorial in steps 3 and 4.
Apache should already be installed and running on your VPS. If this is not the case, you can download it with this command:
sudo apt-get install apache2
Step One—Create Your SSL Certificates
For the purposes of this tutorial, both certificates will be self-signed. We will be working to create a server that hosts both example.com and example.org.
The SSL certificate has 2 parts main parts: the certificate itself and the public key. To make all of the relevant files easy to access, we should create a directory for each virtual host’s SSL certificate.
mkdir -p /etc/apache2/ssl/example.com
mkdir -p /etc/apache2/ssl/example.org
Step Two— Activate the SSL Module
The next step is to enable SSL on the droplet.
sudo a2enmod ssl
Follow up by restarting Apache.
sudo service apache2 restart
Step Three—Create a Self Signed SSL Certificate
When we request a new certificate, we can specify how long the certificate should remain valid by changing the 365 to the number of days we prefer. As it stands this certificate will expire after one year.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.com/apache.key –out /etc/apache2/ssl/example.com/apache.crt
With this command, we will be both creating the self-signed SSL certificate and the server key that protects it, and placing both of them into the new directory.
This command will prompt terminal to display a lists of fields that need to be filled in.
The most important line is "Common Name". Enter your official domain name here or, if you don't have one yet, your site's IP address.
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:New York Locality Name (eg, city) []:NYC Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc Organizational Unit Name (eg, section) []:Dept of Merriment Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:webmaster@awesomeinc.com
Then go ahead and take the same steps for the second (example.org) domain:
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.org/apache.key -out /etc/apache2/ssl/example.org/apache.crt
Step Four—Create the Virtual Hosts
Once you have the certificates saved and ready, you can add in your information in the virtual host files.
Although it’s not required, we can create two virtual host files to store virtual host information in separate files, copying the configuration from the default virtual host file.
sudo nano /etc/apache2/sites-available/example.com
sudo nano /etc/apache2/sites-available/example.org
Go ahead and open up each file and paste in the configuration below. This configuration is a simplified version of two separate configuration files: the default virtual server configuration file found at /etc/apache2/sites-available/default and the default SSL configuration located in /etc/apache2/sites-available/default-ssl.
Additionally, this configuration includes an important change that facilitates multiple SSL certificates. Whereas the default SSL configuration has the following line, specifying a certificate as the default one for the server,
<VirtualHost _default_:443>
the configuration below does not have a reference to a default certificate. This is key.
Overall, the default configuration files offer a variety of useful directives and additional configuration options that you can add to the virtual host. However, the following information will provide the server everything it needs to set up multiple SSL certificates on one IP address.
<VirtualHost *:80>
ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www
</VirtualHost>
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerAdmin webmaster@localhost
ServerName example.com
DocumentRoot /var/www
# SSL Engine Switch:
# Enable/Disable SSL for this virtual host.
SSLEngine on
# A self-signed (snakeoil) certificate can be created by installing
# the ssl-cert package. See
# /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
# If both key and certificate are stored in the same file, only the
# SSLCertificateFile directive is needed.
SSLCertificateFile /etc/apache2/ssl/example.com/apache.crt
SSLCertificateKeyFile /etc/apache2/ssl/example.com/apache.key
</VirtualHost>
</IfModule>
There are a few lines in these configuration files that need to be customized.
- ServerAdmin: This is simply your webmaster’s email address
- ServerName: This is your domain name. Make sure that you write it in without a prepended www.
- DocumentRoot: This is the directory where you keep your site information. Currently it points to the apache default directory. You will probably have different server roots for the 2 different virtual hosts.
- SSLCertificateFile: This directive points to the location of the certificate file. The certificate for each site is stored in the directory that we created earlier in the tutorial.
- SSLCertificateKeyFile : This directive points to the location of the certificate key. The certificate key for each site is stored in the directory that we created earlier in the tutorial.
Set up both domains’ configurations. We still have more step before the separate SSL certificates will work on both servers.
Step Five—Edit the ports.conf file
The final step required to make sure that multiple certificates work on one VPS is to tell the server to listen on port 443. Add the bolded line to the apache ports configuration file.
sudo nano /etc/apache2/ports.conf
NameVirtualHost *:80
NameVirtualHost *:443
Listen 80
<IfModule mod_ssl.c>
# If you add NameVirtualHost *:443 here, you will also have to change
# the VirtualHost statement in /etc/apache2/sites-available/default-ssl
# to
# Server Name Indication for SSL named virtual hosts is currently not
# supported by MSIE on Windows XP.
Listen 443
</IfModule>
<IfModule mod_gnutls.c>
Listen 443
</IfModule>
Step Six—Activate the Virtual Hosts
The last step is to activate the hosts. Apache makes activating and deactivating hosts very easy.sudo a2ensite example.com sudo a2ensite example.org
(You can deactivate virtual hosts with the command: sudo a2dissite example.com)
With all of the virtual hosts in enabled, restart apache.
sudo service apache2 restart
You should now be able to access both sites, each with its own domain name and SSL certificate.
You can view the sites both with and without the signed SSL certificates by typing in just the domain (eg. example.com or example.org) or the domain with the https prefix (https://example.com or https://example.org).
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
About the author(s)
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
" There are also a small percentage of older web browsers that may still give certificate errors"
I don’t think the number is really so small. According to the latest data I can find (Dec 2012), Windows XP still holds 39% of the desktop market and 47% of those are surfing with Internet Explorer. So that means that roughly 19% of users on the web will have a problem with SNI at this time. If you’re looking to use it to lock down your admin logins and such, no problem. If you’re looking to use it for e-commerce sites, that will be a serious issue.
Now this is <1%, except in China where its 3%. I run a site hosting/managing business and I think it is worth it to my customers to keep costs down without having to charge for their own IP address.
That is correct, SNI is not yet fully supported so you should review your webtraffic and see how much of it is still using older browsers that do not support it.
When we will get Multipel IP support from “digitalocean”, Any Idea ?
Anyone know what this looks like to an XP user? Do they get a warning or alert?
@flexcode: I believe it will look like this: http://www.enhanceie.com/images/blog/GmailNameMismatchIE6.png
with this example it is working in both modes like http://localhost and https://localhost I removed the VirtualHost *:80 from the default file then https://localhost is working but https://localhost/test.php is not working. After hitting the enter it is going to localhost/test.php and it is telling that 404 error
So how can we resolve this problem
@09jj1a514: Please pastebin apache’s virtualhost config files.
I have “www.mysite.com” and the subdomain “www.secure.mysite.com”
My goal is to only use my EV SSL UNDER www.secure.mysite.com, and not use SSL on www.mysite.com
I created the subdomain www.secure.mysite.com and it works fine.
Should I now make a vhost for www.secure.mysite.com then follow this tutorial?
Thanks in advance!
@KiwoT: Yes, that should work.
Well, it works, but most important question is - how to set this up with SSL certificate from say - GoDaddy ? Will it work ?
@k.horns: Yes, it will. Simply send them the CSR and replace the old crt file with GoDaddy’s signed certificate.
How to do the same in centos 6.4 since the command a2enmod is not working in centos
@Vineet: This article is for Ubuntu, it does <strong>not</strong> work on CentOS. We currently do not have a similar article for CentOS.
See <a href=“https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-centos-6”>https://www.digitalocean.com/community/articles/how-to-create-a-ssl-certificate-on-apache-for-centos-6</a>
Problem with step 3? Step Three—Create a Self Signed SSL Certificate
The dash in front of “-out”, caused me a problem. I removed and added in a dash and it fixed an error I experienced.
Error: “unknown option –out” –out /etc/apache2/ssl/example.com/apache.crt –out /etc/apache2/ssl/example.org/apache.crt
Changed to: -out /etc/apache2/ssl/example.com/apache.crt -out /etc/apache2/ssl/example.org/apache.crt
Again, notice the dash in front of out, “-out”.
Heh, my username is the email addy of the site(s) I post to/from (signup with), in front of my personal domain. Hope that does not confuse in this case. I am not a rep of Digital Ocean.
~FastEddy =]
@digitalocean: Thanks, I’ve updated the article :]
for your example example.com can i use (for my internal intranet) can i change my server name to j.net and it will work with this ssl so instead of example.com i could use j.net is this correct i wish to follow these steps and will it cause any issues by changing my server name to do this and will it work please advise?
@jamied_uk: You will have to replace all occurrences of example.com with j.net (assuming it’s the domain that you want to set up the SSL certificate for).
Hi thanks for this. I had used it to setup my rapidssl cert. I didn’t change any port.conf info and Im running Ubuntu 14… I had to add the location for the intermediate crt from rapidssl though.
ie. SSLCertificateChainFile /etc/apache2/…crt
Mr.Black
Is this article or wiki out of date? https://wiki.apache.org/httpd/NameBasedSSLVHosts
Also, in your example do both sites point to the same hosted files? I want host 2 totally different ssl sites. Is this possible based on your tutorial? https://www.unrelatedsiteone.com and https://www.unrelatedsitetwo.com
@markjwill: This article assumes that you’ve already set up the Virtual Hosts to serve different files. You need to set <code>DocumentRoot</code> to point to different directories. See:
https://www.digitalocean.com/community/articles/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts
i’ve followed these steps exactly, but when i go to test the sites, the SSL certificate for one site is being used for both, even though they are explicitly set to different certs in the .conf files. one is labelled www.ha… and the other is labelled www.ti… the one for www.ti… uses the cert for www.ha… but the www.ha… uses the appropriate cert. i’m assuming it’s an alphabetical thing, but should it be?
fixed my problem. had a .conf error. listed the VirtualHost as servername:443 and added :443 on the ServerName and ServerAlias items. changed the vhost to *:443 and removed the :443 from the two entries and it worked.
Some problems with the article that can be improved:
One is
It’s an article about two domain names, and the code shown before shows two sections with barely any explanation, one with much more text in description, and both having the same “example.com.” Is one suppoesd to be “example.org”? Does one replicate a section to add a third or fourth site?
That is, there is a lot more in the
<VirtualHost *:443><...>section vs. the<VirtualHost *:80><...>section, should there be more in the first? Should there be a second or an additional<VirtualHost *:443>section for each extra domain?Second,
Clarifying this a little better would be awesome. e.g. I have /var/www with the domain names of each site within, i.e. “philosophique.org” and “travelandmail.com”, among others. In each of those folders (those were folder names) I have public_html–following the https://www.digitalocean.com/community/articles/how-to-set-up-apache-virtual-hosts-on-ubuntu-12-04-lts article (though I did 14.04, I don’t at this very moment remember if I used the 12-04 article or a 14-04 article).
Does that mean I have, in essence, one root with sub-domains and need to create a WWW2, or just a folder /www whose sub-url-named folders are each a root folder, so there are under /www multiple roots? I am pretty sure it’s the folders under …/www that are the roots though, given the article linked AndrewSB above.
Third,
“Directory” in the explanation here, should be made specific rather than referring-back in the article. Just far better from a new user’s standpoint.
Fourth,
Ditto the criticism–constructive not bashing, mind you–from #3. ;)
Fifth, a glaring problem with the explanations of 3 & 4, however, is that we didn’t make “a” directory earlier, but two separate ones for “example.com” and “example.org”, each under /ssl. This means that the article does not specify if we’re to change the configuration file lines from
Or we’re supposed to double them
or what else we actually should be doing.
Which is the biggest of the article’s weaknesses–from the standpoint of anyone who lacks the background knowledge to extrapolate. From your–and almost from my (not quite, but I’m 3-4 tries of this or that to “arrive” wherever the intended destination of these directions is) point of view the words can simply be “applied” to the next issue but, I’m telling you, some priors are assumed here thus missing for a rational guy or gal who is paying close attention to be sure from what’s provided they’re doing the right thing! :O
In literary terms it’s a self-referencing problem ;) Fixing this or a slight revision to add clarifications and instructions to the article and this could perhaps be among the most valuable on the web.
If that point comes, I’m definitely planning to incorporate it among links in a guide to best web resources for new folks to any thing technical and web-site related. :D
Just thought I would add my 2̶ ̶c̶e̶n̶t̶s̶ 10 bucks. Now I’m waiting… -.0
Hi Friends,
Is multiple SSL with single IP for different multiple domains supporting to all browsers ? My server is ubuntu 12.10.
Will it work ?
Regards,
On Ubuntu 14.04.1 x64 bit [below steps worked for me] ** generate certificates for site example.com**
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.com/apache.key -out /etc/apache2/ssl/example.com/apache.crt
generate certificates for site example.org
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/apache2/ssl/example.org/apache.key -out /etc/apache2/ssl/example.org/apache.crt ##Virtual Host Configuration <note: the vhost file should have .conf extension###
root@server1:/etc/apache2/sites-available# vim example.com.conf <VirtualHost *:80> ServerAdmin webmaster@localhost ServerName example.org DocumentRoot /var/www/html/example.org
</VirtualHost>
<IfModule mod_ssl.c> <VirtualHost *:443>
</VirtualHost>
</IfModule> ** #Configure ports** #cat /etc/apache2/ports.conf
NameVirtualHost *:80 NameVirtualHost *:443 Listen 80
<IfModule ssl_module> Listen 443 </IfModule>
<IfModule mod_gnutls.c> Listen 443 </IfModule> #Enable sites# a2ensite example.com a2ensite example.org
as of now my virtual hosts allow both 80 and 443, how can i force them to use 443 only?
Can I follow this process for CentOS 7 SNI installation?
Couple of items to note.
In an earlier comment it was pointed out that the dash character was wrong in the code for the generation of the .key and .crt file and this has not been corrected