Configuring Apache for Multiple SSL VirtualHosts on Single IP Using UCC/SAN Certificates


2 views

When implementing multiple SSL-enabled virtual hosts on Apache with a single IP address, the fundamental limitation stems from the SSL handshake occurring before HTTP headers are processed. Traditional name-based virtual hosting breaks because:

1. Client initiates TLS handshake
2. Server must present certificate (before seeing Host header)
3. HTTP layer processes Host header

A Unified Communications Certificate (UCC) containing Subject Alternative Names (SANs) allows multiple domains to be secured under one certificate. The key requirements:

  • Apache 2.2.12+ with OpenSSL 0.9.8f+
  • SNI (Server Name Indication) support
  • All domains listed in the SAN field

Here's a complete working configuration for two virtual hosts:


# Global SSL configuration
Listen 443
SSLEngine on
SSLCertificateFile /path/to/your_domain.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/IntermediateCA.crt

# First VirtualHost

    ServerName www.example.com
    ServerAlias example.com
    DocumentRoot /var/www/example
    
    SSLEngine on
    SSLProtocol all -SSLv2 -SSLv3
    SSLCipherSuite HIGH:!aNULL:!MD5
    
    # Other directives...


# Second VirtualHost 

    ServerName shop.example.net
    DocumentRoot /var/www/shop
    
    SSLEngine on
    # Uses same certificate as above
    # Additional SSL directives if needed...

Certificate Requirements: Your UCC certificate must include all domains as SANs:

Subject: CN = primary-domain.com
X509v3 Subject Alternative Name: 
    DNS: www.example.com,
    DNS: example.com,
    DNS: shop.example.net

Browser Compatibility: While SNI is supported by all modern browsers (IE7+, Chrome, Firefox, Safari), some legacy clients may encounter issues.

If encountering problems, verify these aspects:

# Check Apache error logs
tail -f /var/log/apache2/error.log

# Verify certificate contents
openssl x509 -in your_cert.crt -text -noout

# Test SSL configuration
openssl s_client -connect yourdomain:443 -servername yourdomain

For high-traffic implementations:

  • Enable OCSP stapling to reduce handshake latency
  • Consider using TLS 1.3 for improved performance
  • Implement HTTP/2 to multiplex connections

# Enable OCSP stapling
SSLUseStapling on
SSLStaplingCache "shmcb:logs/stapling-cache(150000)"

When implementing multiple SSL-enabled virtual hosts on Apache with a single IP address, the fundamental limitation stems from how the SSL/TLS handshake occurs before HTTP negotiation. Traditional name-based virtual hosting becomes impossible because the server must present the correct certificate before seeing the Host header.

Unified Communications Certificates (UCC) containing Subject Alternative Names allow one certificate to secure multiple domains. Here's what makes this work:

  • Single certificate contains all domain names in the SAN field
  • No need for separate IP addresses per domain
  • Supported by all modern browsers (requires SNI support)

Here's a complete configuration example for two domains (example.com and example.net) sharing one IP:


<VirtualHost *:443>
    ServerName example.com
    ServerAlias www.example.com
    DocumentRoot /var/www/example.com
    
    SSLEngine on
    SSLCertificateFile /path/to/your_ucc_cert.crt
    SSLCertificateKeyFile /path/to/your_private.key
    SSLCertificateChainFile /path/to/intermediate.crt
    
    # Other SSL directives...
</VirtualHost>

<VirtualHost *:443>
    ServerName example.net
    ServerAlias www.example.net
    DocumentRoot /var/www/example.net
    
    SSLEngine on
    SSLCertificateFile /path/to/your_ucc_cert.crt
    SSLCertificateKeyFile /path/to/your_private.key
    SSLCertificateChainFile /path/to/intermediate.crt
</VirtualHost>

Several key points ensure proper operation:

  1. All virtual hosts must use the exact same certificate files
  2. Enable SNI support in Apache (default in Apache 2.2.12+)
  3. Include all domains in your UCC certificate's SAN field
  4. Configure one VirtualHost block per domain

When things go wrong, check these areas first:

  • Certificate errors: Verify all domains are listed in the SAN field
  • Browser compatibility: Older clients (IE on XP) may not support SNI
  • Apache version: Ensure you're running Apache 2.2.12 or later

While this solution works well, be aware of these factors:

  • All virtual hosts share the same SSL session cache
  • Certificate revocation checks apply to all domains
  • OCSP stapling configuration affects all domains equally

For maximum flexibility, combine wildcard and specific SAN entries:


# In your certificate request:
subjectAltName=DNS:example.com,DNS:www.example.com,DNS:*.example.net,DNS:example.org

This allows securing both specific domains and subdomains under a single certificate.

For edge cases where SNI isn't supported, configure a fallback:


<VirtualHost _default_:443>
    SSLEngine on
    SSLCertificateFile /path/to/fallback.crt
    # Minimal configuration for legacy clients
</VirtualHost>