Welcome,
In this tutorial we will look at setting up SNI with Apache 2.4. With SNI you can use multiple SSL certificates in Apache with one IP-address.
Since Apache v2.2.12 and OpenSSL v0.9.8j and later you can use a transport layer security (TLS) called SNI. SNI can secure multiple Apache sites using a single SSL Certificate and use multiple SSL Certificates to secure various websites on a single domain (e.g. www.yourdomain.com, site2.yourdomain.com) or across multiple domains (www.domain1.com, www.domain2.com)—all from a single IP address. The benefits of using SNI are obvious: you can secure more websites without purchasing more IP addresses or additional hardware.
SNI is supported by many common browsers:
Desktop Browsers Internet Explorer 7 and later Firefox 2 and later Opera 8 with TLS 1.1 enabled Google Chrome: Supported on Windows XP on Chrome 6 and later Supported on Vista and later by default OS X 10.5.7 in Chrome Version 5.0.342.0 and later Safari 2.1 and later (requires OS X 10.5.6 and later or Windows Vista and later). Note: No versions of Internet Explorer on Windows XP support SNI Mobile Browsers Mobile Safari for iOS 4.0 and later Android 3.0 (Honeycomb) and later Windows Phone 7 and later
Now, looking at our Apache installation at location /etc/apache2/mods-available we can see that the ssl-module is in there ready to be enabled:
root@ubuntu01:/etc/apache2/mods-available# ls -al ... -rw-r--r-- 1 root root 3404 Jan 7 2014 ssl.conf -rw-r--r-- 1 root root 97 Jan 3 2014 ssl.load
Determining if the ssl-module is already enabled can be done with the following command…
root@ubuntu01:/etc/apache2/mods-available# apachectl -M
…or by listing the /etc/apache2/mods-enabled folder
root@ubuntu01:/etc/apache2/mods-enabled# ls -al
We can see that it’s not enabled already so let’s enable it:
root@ubuntu01:/etc/apache2/mods-enabled# a2enmod ssl Considering dependency setenvif for ssl: Module setenvif already enabled Considering dependency mime for ssl: Module mime already enabled Considering dependency socache_shmcb for ssl: Enabling module socache_shmcb. Enabling module ssl. See /usr/share/doc/apache2/README.Debian.gz on how to configure SSL and create self-signed certificates. To activate the new configuration, you need to run: service apache2 restart
To verify that the symlinks now have been created we can list the content of mods-enabled folder:
root@ubuntu01:/etc/apache2/mods-enabled# ls -al ... lrwxrwxrwx 1 root root 26 Jul 6 11:53 ssl.conf -> ../mods-available/ssl.conf lrwxrwxrwx 1 root root 26 Jul 6 11:53 ssl.load -> ../mods-available/ssl.load
Now create a folder where we will put the certificates and keys. I chose to call it ssl-stuff:
root@ubuntu01:/etc/apache2# mkdir ssl-stuff
Copy your certificate www_example_com.crt, your unencrypted key www_example_com.key and your Authority’s certificate file ca.crt
Please note:
- If the contained private key is encrypted, the pass phrase dialog is forced at startup time.
- SSLCertificateChainFile became obsolete with Apache version 2.4.8, when
SSLCertificateFile
was extended to also load intermediate CA certificates from the server certificate file.
Since we are using Apache 2.4.7 the obsolete SSLCertificateChainFile directive is not concerning us.
Set the permissions so that only the owner can read/write the decrypted key in ssl-stuff
root@ubuntu01:/etc/apache2/ssl-stuff# chmod 600 www_example_com.key
Now edit your vhosts file:
<IfModule mod_ssl.c> <VirtualHost *:443> ServerName www.example.com DocumentRoot /var/www/example ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined <Directory /var/www/example> Options Indexes FollowSymLinks AllowOverride None Require all granted </Directory> SSLEngine on SSLCertificateFile /etc/apache2/ssl-stuff/www_example_com.crt SSLCertificateKeyFile /etc/apache2/ssl-stuff/www_example_com.key SSLCertificateChainFile /etc/apache2/ssl-stuff/ca.crt JkMount /manager/* ajp13_worker JkMount /manager ajp13_worker JkMount /examples/* ajp13_worker JkMount /examples ajp13_worker </VirtualHost> </IfModule>
Now restart Apache and access the https site from a browser that supports SNI. If you set it up correctly, you will access the site without any warnings or problems. You can add as many websites or SSL Certificates as you need adding more VirtualHost-configurations similar to above.
root@ubuntu01:/etc/apache2/sites-available# service apache2 restart