Name-based SSL virtual hosts

Linux Configuration and Setup‎ > ‎SSL CA and certificate basics‎ > ‎

The Apache people don't recommend it, but there's an extension to SSL in place (Server Name Indication) that lets named-based virtual hosts work under SSL. It doesn't take much setting up. First, you need to have your SSL infrastructure in place, including the certificates for each server. Then, for Linode's Apache 2 configuration files:

In ports.conf, add "Listen 443" entries to the mod_ssl.c and mod_gnutls.c sections. "NameVirtualHost *:443" should already be present in both.

In the sites-available directory, in the sitename-ssl site configuration file, make sure the VirtualHost directive specifies "*:443". The default-ssl file for the default site continues to have "_default_:443" in it to indicate it's the default for SSL virtual hosts that can't otherwise be identified. Configure the SSLCertificateFile and SSLCertificateKeyFile settings to point to this site's SSL certificate and key.

For multiple sites within a single domain, using a wildcard SSL certificate covering the entire domain is guaranteed to work. It'll even work for browsers that don't do SNI. It's also convenient for development and testing work because you can create new sites on the fly and keep reusing the existing wildcard certificate, avoiding having to create a new certificate for every new test site you play with. Individual certificates for each server name should now work correctly too, as long as the client supports SNI. If you need to support sites in different domains, you have to use individual certificates and clients have to support SNI. Fortunately all modern browsers do, as do the current OpenSSL and libCurl libraries.