Multiple SSL Certificate on Apache

I know that you need multiple IP addresses if you want to use multiple SSL certificate with Apache. Assuming I have 2 IPs on my VPS (let's name them 1.1.1.1 and 2.2.2.2), I was wondering if the following setup is possible:

domain1.com would be on 1.1.1.1 and use a signed SSL certificate (from a provider like Verisign)

domain2.com, domain3.com, .. would be on 2.2.2.2 and share a self-signed certificate...

In other words, one domain needs its own signed certificate because it has to process financial transaction etc..so it will be "alone" on the first IP.. Other domain(s) only need a self signed certificate since it's only for their admin areas and I don't mind the warning(s), so they would all be on the second IP

Is such a setup possible? If so, any examples of what the virtual host config would look like?

Any help would be appreciated!


Solution 1:

It's pretty simple to have a different cert for a different IP address; just put the SSL cert stuff inside the virtualhosts for each.

Having multiple virtualhosts on a single IP won't really work at this point. There's some technologies that might work for that down the road, but the user population isn't running browsers that can do it. The user agent (browser) establishes an SSL connection and verifies the SSL connection before telling the server what host it's connecting to. You really need a separate IP for each SSL virtualhost.

<VirtualHost 1.1.1.1:443>
        ServerName foo
        DocumentRoot /var/www/foo
        CustomLog /var/log/httpd/foo.ssl_access_log combined
        ErrorLog /var/log/httpd/foo.ssl_error_log

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/foo.crt
        SSLCertificateKeyFile /etc/pki/tls/private/foo.key
</VirtualHost>

<VirtualHost 2.2.2.2:443>
        ServerName bar
        DocumentRoot /var/www/bar
        CustomLog /var/log/httpd/bar.ssl_access_log combined
        ErrorLog /var/log/httpd/bar.ssl_error_log

        SSLEngine on
        SSLProtocol all -SSLv2
        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
        SSLCertificateFile /etc/pki/tls/certs/bar.crt
        SSLCertificateKeyFile /etc/pki/tls/private/bar.key
</VirtualHost>

Solution 2:

As freiheit already mentioned, there is a new way, to setup vhosts with different ssl
certificates on a single ip. But the support from the client-side is still incomplete.

Its called SNI (Server Name Indication) and it's worth a read.

Best regards...