How To Set Up Multiple SSL Certificates On a CentOS VPS With Apache Using One IP Address

sniIn this tutorial we will show you how to set up multiple SSL Certificates on a CentOS VPS with Apache using one IP address only.

This is allowed by an extension to the SSL protocol called Server Name Indication (SNI). Most current desktop and mobile web browsers support SNI. The main benefit of using SNI is the ability to secure multiple websites without purchasing more IP addresses.

Make sure the mod_ssl security module is installed and enabled so the Apache web server can use the OpenSSL library and toolkit:

yum install mod_ssl openssl

Execute the following commands:

mkdir -p /etc/httpd/ssl/
mv /etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ssl.conf.bak 
cd /etc/httpd/ssl/

Generate SSL certificate signing request (CSR) files for your domains:

openssl genrsa -out domain1.key 2048
openssl req -new -key domain1.key -out domain1.csr

openssl genrsa -out domain2.key 2048
openssl req -new -key domain2.key -out domain2.csr

and enter the following details for your certificates:

  • Country Name
  • State or Province Name
  • Locality Name
  • Organization Name
  • Organizational Unit Name
  • Email Address

When prompted for the Common Name (i.e. domain name), enter the FQDN (fully qualified domain name) for the website you are securing.

It is recommended to install commercial SSL certificates when used in a production environment. Or, generate and use self-signed SSL certificates when you are just developing or testing a website or application using the following commands:

openssl x509 -req -days 365 -in domain1.csr -signkey domain1.key -out domain1.crt

openssl x509 -req -days 365 -in domain2.csr -signkey domain2.key -out domain2.crt

Edit the ‘ssl.conf’ Apache configuration file:

vi /etc/httpd/conf.d/ssl.conf

and add the following lines:

LoadModule ssl_module modules/mod_ssl.so

Listen 443

NameVirtualHost *:443

SSLPassPhraseDialog  builtin
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
SSLStrictSNIVHostCheck off

<VirtualHost *:443>
DocumentRoot /var/www/html/domain1
ServerName domain1.com
ServerAlias www.domain1.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/domain1.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain1.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

<VirtualHost *:443>
DocumentRoot /var/www/html/domain2
ServerName domain2.com
ServerAlias www.domain2.com
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/httpd/ssl/domain2.crt
SSLCertificateKeyFile /etc/httpd/ssl/domain2.key
#SSLCertificateChainFile /etc/httpd/ssl/ca.crt
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

When using a commercial SSL certificate, it is likely the signing authority will include an intermediate CA certificate. In that case, create a new ‘/etc/httpd/ssl/ca.crt’ file and paste the contents of the Intermediate CA into it, then edit the the ‘ssl.conf’ configuration file and uncomment the following line:

SSLCertificateChainFile /etc/httpd/ssl/ca.crt

so the Apache web server can find your CA certificate.

Test the Apache configuration:

/etc/init.d/httpd configtest

Syntax OK

Restart the Apache service for the changes to take effect:

service httpd restart

Open https://domain1.com and https://domain2.com in your favorite web browser and verify that SSL certificates are installed correctly.

Of course you don’t have to do any of this if you use one of our Linux VPS Hosting services, in which case you can simply ask our expert Linux admins to set up multiple SSL Certificates on your VPS for you. They are available 24×7 and will take care of your request immediately.

PS. If you liked this post please share it with your friends on the social networks using the buttons on the left or simply leave a reply below. Thanks.

15 thoughts on “How To Set Up Multiple SSL Certificates On a CentOS VPS With Apache Using One IP Address”

  1. it really helped to solve my SSL Certificate Problem, i asked for support team of my SSL Certificate Provider, they blindly saying to buy dedicated IP on VPS server.

    Thank you so much.

    Regards,
    banoth kumar

    Reply
  2. Thanks for such a wonderful article. I followed your article exactly but i am facing below error

    [warn] RSA server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

    my hosts file
    cat /etc/hosts
    127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
    ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
    10.3.1.30 site1.example.com site1
    10.3.1.30 site2.example.com site2
    10.3.1.30 site3.example.com site3
    10.3.1.30 site4.example.com site4

    my ssl.conf file

    Listen 443

    NameVirtualHost *:443

    DocumentRoot /var/www/html/site3
    ServerName site3.example.com
    ServerAlias www. site3.example.com
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
    SSLCertificateFile /etc/httpd/ssl/site3.crt
    SSLCertificateKeyFile /etc/httpd/ssl/site3.key
    #SSLCertificateChainFile /etc/httpd/ssl/ca.crt
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel warn

    SSLOptions +StdEnvVars

    SetEnvIf User-Agent “.*MSIE.*” \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
    “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \”%r\” %b”

    I shall be thankful for you kind help

    Reply
    • Hi Umar,

      Please make sure that the correct SSL certificate for site3.example.com is located at /etc/httpd/ssl/site3.crt

      If you closely followed this tutorial you should be able to set up multiple SSL certificates without a problem.

      Thanks.

      Reply
  3. I did the same as above but showing the below error:

    What may be causing the issue?

    Error: (98)Address already in use: AH00072: make_sock: could not bind to address [::]:443

    Reply
    • Make sure that port 443 is available to use on your machine. You can use the command ‘netstat -tnlp’ to check which service is using the port.

      Thanks.

      Reply
  4. Thank you sir.

    The only thing we needed to change from what we had was:

    NameVirtualHost *:443

    ServerName domain1.com

    ServerName domain2.com

    Everything else we had was already OK.

    THANK YOU!

    Reply
    • The “VirtualHost” tags were cleaned out — let’s try this:

      NameVirtualHost *:443

      <VirtualHost *:443>
      ServerName domain1.com

      <VirtualHost *:443>
      ServerName domain2.com

      Reply
  5. Hi,

    I did the same thing but I am getting below error:

    Feb 18 10:13:10 ip-172-31-5-188.eu-west-1.compute.internal httpd[2197]: Apache/2.4.37 mod_ssl (Pass Phrase Dialog)
    Feb 18 10:13:10 ip-172-31-5-188.eu-west-1.compute.internal httpd[2197]: Some of your private key files are encrypted for security reasons.
    Feb 18 10:13:10 ip-172-31-5-188.eu-west-1.compute.internal httpd[2197]: In order to read them you have to provide the pass phrases.
    Feb 18 10:13:10 ip-172-31-5-188.eu-west-1.compute.internal httpd[2197]: Private key ***************:443:0 (/etc/httpd/cert/antivirus.key)
    Feb 18 10:13:10 ip-172-31-5-188.eu-west-1.compute.internal httpd[2197]: Enter pass phrase:Apache:mod_ssl:Error: Private key not found.
    Feb 18 10:13:10 ip-172-31-5-188.eu-west-1.compute.internal httpd[2197]: **Stopped
    Feb 18 10:13:11 ip-172-31-5-188.eu-west-1.compute.internal systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
    Feb 18 10:13:11 ip-172-31-5-188.eu-west-1.compute.internal systemd[1]: Failed to start The Apache HTTP Server.
    Feb 18 10:13:11 ip-172-31-5-188.eu-west-1.compute.internal systemd[1]: Unit httpd.service entered failed state.
    Feb 18 10:13:11 ip-172-31-5-188.eu-west-1.compute.internal systemd[1]: httpd.service failed.

    Can you help me

    Reply

Leave a Comment