How can I setup different SSL-Certificates for vhosts on Apache?

Question

I have a web-server, that serves different domain-names, but has only one IP-address assigned. That works fine with virtual hosts in Apache. Now I want SSL-encrypted connect

Answer 1

UPDATE: 2013

It appears that SNI is finally beginning take hold as older browsers are falling away. Here are the docs for Apache SNI and here is a wikipedia article on SNI that includes a chart on browsers that support it. In short, all the major browsers support it in supported versions; if supporting older browsers is important, you may have to take that into consideration.

------ previous answer ------------

SSL Hosts must be tied to a unique IP address/port combination, thus you cannot use virtual hosting (Or at least, it can only have one ssl host per IP address). This is due to the fact that https begins encryption before the Host: parameter is sent in http, and thus it cannot determine which cipher to use from the hostname - all it has is the IP address.

This would be silly easy to fix if HTTP had a TLS command so it could start SSL after asking for the hostname, but no one asked me.

For the definitive answer, see http://httpd.apache.org/docs/2.0/ssl/ssl_faq.html#vhosts2

Answer 2

AFAIK it's not possible to set up different SSL certificates for name-based virtual hosts using mod_ssl. You can read the detailed reason here. An alternative would be using IP based virtual hosts (Which is probably not possible / not a very satisfying solution) - just insert different SSLCertificateFile directives, or you could try this method using mod_gnutls.

Answer 3

You will need a separate IP:port combination for each vhost.

RFC 3546 is not feasible yet. IE only supports it when running under Vista, and last I checked Safari doesn't manage it either.

Answer 4

Finally it's possible! You need both server and client to support Server Name Indication (SNI)

Browsers, that support SNI:

• Mozilla Firefox 2.0 or later
• Opera 8.0 or later (with TLS 1.1 enabled)
• Internet Explorer 7.0 or later (on Vista, not XP)
• Google Chrome
• Safari 3.2.1 on Mac OS X 10.5.6

This doc shows hoe to configure your server: SSL with Virtual Hosts Using SNI

Answer 5

While everything DGM mentioned is true, there have been some attempts to get around the requirement for a unique IP address for every certificate including mod_gnutls and using TLS extensions. There are some drawbacks but they may be acceptable to you.

Answer 6

After hints in the answers given and comments to it (especially by Martin v. Löwis) I did some googling and found this website about RFC 2817 and RFC 3546. RFC 3546 seems to be a good solution.