Apache + SSL Certificates – Part 1

For those interested in using SSL certificates, I would like to bring up two very important things to keep in mind:

  • Under most circumstances, each site that utilizes a SSL certificate must have a unique, static IP address
  • All SSL certificates are not the same so be sure you understand what type of certificate you are purchasing

Before purchasing or beginning to architect your domain supporting SSL, I encourage you to read and fully understand how SSL works. In order to support valid SSL authentication on all operating systems and web browsers, each domain that utilizes a SSL certificate must have a unique, static IP address assigned to it. In addition, the web server application used must be configured at a minimum to use IP-based virtual hosts.

As a concrete example, consider the domain names a.com and b.com. Let’s assume that both domains are hosted on the same web server and neither utilize SSL authentication. In addition, let’s assume that the server is running Apache. Based on this example, the Apache configuration for these two sites could look like the following:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName a.com
DocumentRoot /var/apache2/htdocs/a.com
</VirtualHost>
<VirtualHost *:80>
ServerName b.com
DocumentRoot /var/apache2/htdocs/b.com
</VirtualHost>

Now, let’s assume that a.com needs to be configured with a real (i.e. not self-signed) SSL certificate. In order to make this work, the Apache configuration for these two sites would have to change to something like:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName a.com
DocumentRoot /var/apache2/htdocs/a.com
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerName a.com
DocumentRoot /var/apache2/htdocs/a.com
SSLEngine on
SSLCertificateFile "/var/apache2/certs/a.com.crt"
SSLCertificateKeyFile "/var/apache2/certs/a.com.key"
</VirtualHost>
<VirtualHost *:80>
ServerName b.com
DocumentRoot /var/apache2/htdocs/b.com
</VirtualHost>

As you can see, a new virtual host entry was created for a.com with a static IP address and SSL port as well as information about SSL. In the above example, a.com and b.com could share the same IP address because only a.com uses SSL so while the IP may be shared it is unique for the SSL authentication. Now, assume b.com needs a real (i.e. not self-signed) SSL certificate. Again, the Apache configuration would need to change. This time to something like:

NameVirtualHost *:80
<VirtualHost *:80>
ServerName a.com
DocumentRoot /var/apache2/htdocs/a.com
</VirtualHost>
<VirtualHost 1.2.3.4:443>
ServerName a.com
DocumentRoot /var/apache2/htdocs/a.com
SSLEngine on
SSLCertificateFile "/var/apache2/certs/a.com.crt"
SSLCertificateKeyFile "/var/apache2/certs/a.com.key"
</VirtualHost>
<VirtualHost *:80>
ServerName b.com
DocumentRoot /var/apache2/htdocs/b.com
</VirtualHost>
<VirtualHost 1.2.3.5:443>
ServerName b.com
DocumentRoot /var/apache2/htdocs/b.com
SSLEngine on
SSLCertificateFile "/var/apache2/certs/b.com.crt"
SSLCertificateKeyFile "/var/apache2/certs/b.com.key"
</VirtualHost>

As you can see, b.com now has a second virtual host entry, which is configured just like a.com’s second entry. In the above example, the two domains now have a unique IP address assigned to them for port 443. The reason why each domain now has its own IP address is because if they shared the same IP address then the a.com SSL certificate would be used by the b.com domain for initial authentication over port 443. This means if both sites shared the same IP address and a user went to b.com over SSL then the browser would throw an error stating that the certificate host name (e.g., a.com) does not match the source host name (e.g., b.com) making the SSL session unsecure because the names do not match.

This problem stems from the fact that by default SSL utilizes IP address and port for communication and authentication. In addition, the SSL transaction takes place before the HTTP transaction and since the SSL transaction does not contain the host name distinguishing between multiple host names using the same IP address is impossible. As such, if multiple host names share the same IP address on port 443, the first virtual host entry for the IP address over port 443 always wins and is used for the initial authentication session. In the above example this would be a.com.

For more information about configuring Apache with SSL, utilizing named-based versus IP-based virtual hosts and understanding why SSL requires unique, static IP addresses, please see the following links:

With an understanding of how to configure multiple domains for SSL authentication on the same web server and why unique, static IP addresses are required in such a configuration, my next blog entry on this topic will cover a way to eliminate the need for multiple IP addresses, but also introduce limitations including browser compatibility.

© 2010, Steve Flanders. All rights reserved.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top