When a browser tries to connect a website it verifies the name and domain name of the web page. The server with equipped SSL certificate does the rest job by automatically verifying website. The domain name that the browser wants to access must be validated with the SSL certificate. If the domain name does not meet with the specified conditions, then the visitor will see a warning message, perhaps followed by a website disconnection. To avoid this situation, SSL requires a dedicated IP address. It allows the web server to identify the incoming domain name request, and can serve the right certificate to the browser.
It is difficult to handle multiple IP addresses designed for each website in the end. In this case, SNI (Server Name Indication) instantly connects the desired website name during the first SSL handshake so; the server sends back the right certificate. SNI helps the web server to connect multiple certificates for multiple domain names to a single IP address. However, old browsers and older operating systems do not support SNI.
Browser And Server Support:
If we consider popular browsers, then IE7+, Mozilla Firefox 2.0+, Opera 8.0+, Google Chrome (Window Vista or higher), window phone 7 support SNI.
If we look at most popular servers, then Apache 2.2.12 + with mod_SSL, Apache Traffic Server 3.2.0+, Apache Tomcat on Java 7 +, Nginx with established OpenSSL with SNI support, Microsoft Internet Information Server IIS 8 support Server Name Indication (SNI).
Below is an example of SNI through you can set up multiple SSL certificate on a single IP with Apache Server on Ubuntu.
Set Up Multiple SSL Certificates On Single IP With Apache On Ubuntu 12.04
You can host many SSL certificates on a single IP Address with Server Name Indication (SNI). You do not need registered domains for SNI to serve the certificates. You should have root privileges. Here is the process given to host multiple SSLs on a single IP with Apache with Ubuntu 12.04 for testing purpose.
- You should have installed Apache or you can download Apache with following command.
sudo apt-get install apache2
- Create self signed SSL certificate for domains like abc.com and abc.org. Create a directory for individual virtual host’s SSL certificate. keep a public key and certificate in this directory.
mkdir -p /etc/apache2/ssl/abc.com mkdir -p /etc/apache2/ssl/abc.org
- Now, enable SSL on virtual servers and restart Apache
sudo a2enmod ssl sudo service apache2 restart
- Create a self-signed certificate for abc.com, and set the expiry date to one year. Place both certificate and private key into the directory. Now you have to fill a list of fields related to your organizations.
- Now follow the same instruction for the second domain like abc.org.
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 - keyout/etc/apache2/ssl/abc.org/apache.key -out /etc/apache2/ssl/abc.org/apache.crt
- Create two virtual host files for storing virtual host information.
sudo nano /etc/apache2/sites-available/abc.com sudo nano /etc/apache2/sites-available/abc.org
- The following information is necessary to set up multiple SSL certificates directing a single IP address.
<VirtualHost *:80> ServerAdmin webmaster@localhost ServerName abc.com DocumentRoot /var/www </VirtualHost> <IfModule mod_ssl.c> <VirtualHost *:443> ServerAdmin webmaster@localhost ServerName abc.com DocumentRoot /var/www # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2.2-common/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/apache2/ssl/abc.com/apache.crt SSLCertificateKeyFile /etc/apache2/ssl/abc.com/apache.key </VirtualHost> </IfModule>
- Activate the virtual host and restart Apache.
Conclusion:
SNI removes the problem of sending exact domain name to the browser among multiple domain names. In the past, enterprise has to pay for an additional amount for IP address but with SNI, a single IP address can host multiple SSL certificates without paying any extra cost.
