Apache SSL VirtualHosts on a single IP using UCC/SAN certificate
I need to host several Apache virtual hosts with SSL from a single IP.
Now - I understand that because SSL wraps around the HTTP request, there's no way to know which host is being requested until a public key has been sent to the client first. This essentially breaks the possibility of SSL virtual hosts using a standard SSL certificate.
I have obtained a Unified Communications Certificate (UCC), otherwise known as a Subject Alternative Name (SAN) certificate. This allows me to serve the same certificate for multiple domains.
I would like this to be the certificate served by Apache for any SSL request - and then have Apache resolve the virtual host as usual, once the encryption has been established.
How should I configure Apache for this? I have tried to research how this can be done, but all I can find are quotes which say that it is possible, but no specifics:
wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI
While Apache can renegotiate the SSL connection later after seeing the hostname in the request (and does), that's too late to pick the right server certificate to use to match the request hostname during the initial handshake, resulting in browser warnings/errors about certificates having the wrong hostname in them.
serverfault.com/questions/48334/apache-virtual-hosts-with-ssl
Incidentally, it is possible to have multiple SSL-secured named virtual hosts on a single IP address - I do it on my website - but it produces all sorts of warnings in the Apache logs, and certificate warnings in the browser. I certainly wouldn't recommend it for a production site that needs to look clean. -David Jul 31 at 4:58
www.digicert.com/subject-alternative-name.htm
Virtual Host Multiple SSL sites on a single IP address. Hosting multiple SSL-enabled sites on a single server typically requires a unique IP address per site, but a certificate with Subject Alternative Names can solve this problem. Microsoft IIS 6 and Apache are both able to Virtual Host HTTPS sites using Unified Communications SSL, also known as SAN certificates.
Please help.
Solution 1:
I tested this on my apache 2.2.14 instance and it worked fine:
Use the NameVirtualHost directive (to ports.conf):
NameVirtualHost *:443
define your vhosts:
<VirtualHost *:443>
ServerName www.siteA.com
DocumentRoot "/opt/apache22/htdocs/siteA"
SSLCertificateFile "/path/to/my/cert"
SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>
<VirtualHost *:443>
ServerName www.siteB.com
DocumentRoot "/opt/apache22/htdocs/siteB"
SSLCertificateFile "/path/to/my/cert"
SSLCertificateKeyFile "/path/to/my/key"
</VirtualHost>
I used this link as a resource.