[CentOS] multiple signed ssl certificatess on single IP address

Aleksandar Milivojevic alex at milivojevic.org
Sun Mar 19 06:09:49 UTC 2006

Ara Avvali wrote:
> Good afternoon everyone,
> This is my first post here. I was wondering if someone could clear my 
> mind about this.
> I have a dedicated server with a single ip address assigned to it. I 
> want to host couple of site which are hosted somewhere else and they 
> have signed certificates. Now I want to host them all on this single 
> server.

No, you can't have more than one certificate per IP address (other then 
using different ports).  The SSL handshake takes place before any data 
is transmitted.  Therefore, Apache doesn't know which of the virtual 
webs the user is attempting to access.

However you can use the X509v3 Subject Alternative Name to store 
multiple host names into it.  For example, you could store something 
like this into it:

SubjectAltName: DNS:www.foo.com, DNS:www.bar.com, IP:

(or something like that, syntax for IP could be IPAddr, not 100% sure).

Such certificate would be valid for all of the following (users are not 
going to get any warnings or annoying pop-up windows):

However, there's couple of problems with using X509v3 Subject 
Alternative Name:

Not all web browser might support it.  Current versions of Internet 
Explorer, Mozilla, and Firefox work correctly with such certificates, 
but older versions might not (very old versions would ignore X509v3 
extensions).  Some obscure web browsers might not support it either.

You'll be using single certificate for all virtual hosts.  This might be 
the problem if virtual hosts are owned by different people (if they know 
anything about security, they'll insist on using their own certificates, 
and simply reject to use shared certificate).

The biggest problem is, if you are buying certificate from well known 
CA, you might have hard time finding one that will sell you certificate 
with multiple hosts names in X509v3 Subject Alternative Name.  Last time 
I was checking (some years ago) there was none.  Maybe situation changed 
since then (or maybe some will do it on special request -- and special fee).

For an example, check certificate at https://www.milivojevic.org/ (it 
contains www.milivojevic.org in CN, and there's SubjectAltName in 
extensions for www.milivojevic.org and localhost).

More information about the CentOS mailing list