Configuring Apache to serve multiple domains with a single SSL certificate

Here are some notes on how to configure Apache to server multiple domains with a single SSL certificate. If using a single certificate is not an option, you will have to use SNI, which is not covered in this howto.

# Create root CA
openssl genrsa -out rootCA.key 2048
# Self sign the CA cert
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Create the configuration file of the certificate request for all domains (multi.conf):

distinguished_name = req_distinguished_name
req_extensions = v3_req
prompt = no
countryName = XY
stateOrProvinceName = XY
localityName = City
organizationName = My organization
organizationalUnitName = My unit
commonName =
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
DNS.1 =
DNS.2 =

Be aware that the semantic of the fields in the configuration file changes depending on the value of “prompt”. With “prompt = no”, countryName is the value for the country. Without “prompt”, it set the label that will be displayed when the user is prompted, and a default value can be provided in “countryName_default”. Very confusing…

One of the aliases has to be specified as commonName and again as alternate name, because in some cases only alternate names will be considered.

Now you can create the server key and the corresponding certificate:

openssl genrsa -out multi.key 2048
openssl req -new -out multi.csr -key multi.key -config multi.conf
openssl x509 -req -in multi.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out multi.crt -days 500 -sha256 -extensions v3_req -extfile multi.conf

Note: the multi.conf file has to be used twice, once to create the request (2nd line), and again to create the certificate (3rd line).

And finally, use it in Apache:

NameVirtualHost *:443
SSLCertificateFile /root/ca/multi.crt
SSLCertificateKeyFile /root/ca/multi.key
<VirtualHost *:443>

<VirtualHost *:443>

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s