About the TLS
Extension Server Name Indication (SNI)
When website administrators and IT personnel are restricted to use a single
SSL Certificate per socket (combination of IP Address and socket) it can cost a
lot of money. This restriction causes them to buy multiple IP addresses for
regular https websites from their domain host or buy hardware that allows them
to utilize multiple network adapters.
However, with Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a
transport layer security (TLS) called SNI. SNI can secure multiple Apache sites
using a single SSL Certificate and use multiple SSL Certificates to secure
various websites on a single domain (e.g. www.yourdomain.com,
site2.yourdomain.com) or across multiple domains (www.domain1.com,
www.domain2.com)—all from a single IP address. The benefits of using SNI are
obvious—you can secure more websites without purchasing more IP addresses or
additional hardware.
Since this is a fairly recent update with Apache, browsers are only
recently supporting SNI. Most current major desktop and mobile browsers support
SNI. One notable exception is that no versions of Internet Explorer on Windows
XP support SNI. For more information on which browsers support SNI, please
see SNI browser support.
To use SNI on Apache, please make sure you complete the instructions on
the Apache SSL installation page. Then
continue with the steps on this page.
Setting up SNI with
Apache
To use additional SSL Certificates on your server you need to create
another Virtual Host. As a best practice, we recommend making a backup of your
existing .conf file before proceeding. You can create a new Virtual Host in
your existing .conf file or you can create a new .conf file for the new Virtual
Host. If you create a new .conf file, add the following line to your existing
.conf file:
Include
my_other_site.conf
Next, in the NameVirtualHost directive list your server's public IP address,
*:443, or other port you're using for SSL (see example below).
Then point the SSLCertificateFile, SSLCertificateKeyFile, and
SSLCertificateChainFile to the locations of the certificate files for each
website as shown below:
<NameVirtualHost
*:443>
<VirtualHost
*:443>
ServerName www.yoursite.com
DocumentRoot /var/www/site
SSLEngine on
SSLCertificateFile
/path/to/www_yoursite_com.crt
SSLCertificateKeyFile
/path/to/www_yoursite_com.key
SSLCertificateChainFile
/path/to/DigiCertCA.crt
</Virtual
Host>
<VirtualHost
*:443>
ServerName www.yoursite2.com
DocumentRoot /var/www/site2
SSLEngine on
SSLCertificateFile
/path/to/www_yoursite2_com.crt
SSLCertificateKeyFile
/path/to/www_yoursite2_com.key
SSLCertificateChainFile
/path/to/DigiCertCA.crt
</Virtual
Host>
If you have a Wildcard or UC certificate all of the websites using the same
certificate need to reference the same IP address in the VirtualHost IP
address:443 section like in the example below:
<VirtualHost
192.168.1.1:443>
ServerName www.domain.com
DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile
/path/to/your_domain_name.crt
SSLCertificateKeyFile
/path/to/your_private.key
SSLCertificateChainFile
/path/to/DigiCertCA.crt
</Virtual
Host>
<VirtualHost
192.168.1.1:443>
ServerName site2.domain.com
DocumentRoot /var/www/site2
SSLEngine on
SSLCertificateFile
/path/to/your_domain_name.crt
SSLCertificateKeyFile
/path/to/your_private.key
SSLCertificateChainFile
/path/to/DigiCertCA.crt
</Virtual
Host>
Now restart Apache and access the https site from a browser that supports
SNI. If you set it up correctly, you will access the site without any warnings
or problems. You can add as many websites or SSL Certificates as you need using
the above process.
0 comments:
Post a Comment