🔐 SSL Multiple Domains On Same IP (SNI Support)
NGinx / Apache set up with multiple SSL domains on the same IP -ensure you have the correct virtual hosts and certificates
—
Notes on SNI
SNI (Server Name Indication) is a protocol derived to allow multiple SSL certificates on the same server. Prior to this, SSL certification only worked for individual IP’s.
What we propose below does not negate the need for SNI. Whilst we would love to fully support No-SNI on a single server, it isn’t feasible without massive tweaking in the back-end.
Please note this solution does not work for No-SNI.
—
🚩SSL
SSL Certificates are increasingly necessary for websites.
They represent an encryption layer for transactional data sent across the Internet. They encrypt data sent & decrypt data received from SSL-enabled web servers.
Whilst consumers see https:// in web addresses, the backend has several aspects which need to be set up. This tutorial is going to explain how to do this, whilst maintaining several SSL-enabled domains on a single server.
Types
Firstly, we should explain the types of SSL certificate.
There is nothing technically different between them:
They all use the same technology, difference being the level of
authorization it gives a domain / server.
The most expensive EV (Extended Validation) / Green Bar certificates
provide the highest level of authority:
Further down the price spectrum, less consumer-protection is provided. The least expensive does not require any validation, can be self-issued and provides minimal benefits.
The specific types of certificate are:
- Domain Validated Certificate
Validates against domain ownership.
You do not need to prove any real world identity — only that you own the domain name. This is done with email or DNS records. - Organization Validated Certificate
Validates against organization ownership.
This will check such data as company records, DNS records and server records to validate a legal entity exists for the certificate holder. - Extended Validation Certificate (Green Bar)
Validates against identity ownership.
Like organizational validation, legal checks are made on the company in question. However, human verification is required to ensure maximum validation.
Purchasing and installing SSL certificates — whilst perhaps not appear to be very important — is a huge deal.
—
📋 Setup & Installation
All SSL certificates are setup in the same way:
- Once you have purchased a certificate, you will need to generate a CSR.
- Your vendor will inform you on the specifics.
The best way is to use theeasy-csrtool by DigiCert:
- CSR generated, you should input it into your vendor’s system. Due to the difference in all systems, we recommend contacting your vendor if you have any specific issues.
- After submitting the CSR, the vendor will send the certificates to your domain’s email.
- You will receive two files:
*yourdomainname*.crt
*yourdomainname*.ca-bundle - You must remember that all the certificates are just plain text. Don’t worry about corrupting them etc — you need to combine all the files you receive into a single .crt file:
$ cat your_domain_name.crt [[ca-bundle or equivalent]] >> bundle.crt
- Whilst it’s better to do this on the server, you can do it locally. You basically just need to copy the
.crtfile to the.ca-bundle(or equivalent), leaving a single.crt. This will be used with the.keyyou used to generate the CSR by the host software.
Whilst this process may seem complicated, it’s actually simple once you realize its core components. We would recommend talking to your vendor if any issues arise.
—
🔌Hosting
Once you have your SSL certificates set up, you need to host them.
With the introduction of SNI, we’re now able to use a single server to host multiple SSL-enabled domains. It used to be the case that you needed a dedicated IP for each SSL domain.
Our method is to set up a virtual host for each domain you wish to serve, providing the SSL certificate for each.
To do this, we need to set up NGinx and Apache to handle the inbounds:
NGinx
Considering you have NGinx installed:
Apache
Remember to restart both services after adding the above:
# NGinx
sudo service nginx restart# Apache
sudo service apache restart
—
💻 Conclusion
To determine if you’ve set it up correctly, you should use the
SSL Labs Test at QualSys:
Since SSL doesn’t rely on DNS, you’ll be able to get an immediate response.
You should also note that the virtual host that isn’t considered default
will have no SNI support. Doesn’t matter for the most part (unless you need to support Android < 3.0 browsers):
If you absolutely must have No-SNI support, you will need to get a different IP’s for each SSL domain.
This should give you the ability to handle several SSL-enabled domains on a single server.
—
📁 Certificate Authorities
Finally, if you need to buy SSL certificates, there are certain accredited places to get them. These are called certificate authorities (very good article):
Whilst you can buy directly from the CA, you’ll often find third parties
selling them at lower prices. Most bulk buy and pass the savings on.
Registrars
Our recommendation is to use your registrar or hosting provider.
There is no point using a third party and forgetting the details — stick to your stack and keep your operation lean. It also provides you single points of contact if you need any support.
We use Namecheap (affiliate link).
They are a Comodo reseller (with discounts):
Like CodeSigning of old, SSL certificates provide a consumer marketing benefit, as well as core technical advantages. And as major browsers adopt encryption as standard, it’s no surprise their popularity is growing.
Hopefully this article will give you insights into securing your web assets.
—
If you have any questions, please don’t hesitate to ask.
Thank you for reading!
