Install several SSL certificates on a same machine / IP : TLS SNI
Is it possible to configure several X509 / SSL certificates on a same server with a unique IP? The answer is yes, thanks to SNI (Server Name Indication). This protocol is now compatible with most browsers. It can cause compatibility issues on old browsers, it that case:
- Your websites are subdomains of a main domain (*.domain.com)
Use a Wildcard certificate - Your websites have miscellaneous names and you only have one IP address
Use a Multiple Sites certificates (SSL SAN) - Your websites have miscellaneous names and you have several IP addresses
Use one server certificate for each IP.
Warning: An "IP address/port number" couple can generally hold only one certificate (except with TLS SNI, see below). Indeed the SSL negotiation takes place before the HTTP headers are sent that allow to detect which server is solicited (on multihosting servers with one IP address).
TLS Server Name Indication (SNI)
The RFC 4366 created a "server name indication" (SNI) extention that is used to specify which server to solicite during the SSL connection with the client (the web browser). The server will then present the good certificate.
Browsers and servers have to implement this extention now.
Here is the mid-2011 situation:
- Compatible browsers:
- Internet Explorer 7+ (but IE under XP -no matter the version- does not work, and there are issues with other versions)
- Firefox 2+
- Opera 8+
- Chrome
- Safari 3.2.1+ under Mac OS X 10.5.6+
- Safari under Vista or Seven
- MobileSafari under iOS 4.0+
- WindowsPhone 7
- Android 3+
- Compatible servers:
- Microsoft IIS8 (under Windows Server 2012)
- OpenSSL 0.9.8f (0.9.8k is recommanded)
- Apache 2.2.12+
- lighthttpd 1.4.24+
- Apache Tomcat with Java 7+
- Incompatible browsers:
- Internet Explorer under XP
- Safari under XP
- Blackberry
- Java 6
- Android 2.3
- Windows Mobile (works from version 7)
- Incompatibles servers:
- Microsoft IIS before version 8
Examples of SNI implementation
- TBS INTERNET SNI configuration example on Apache
- Globalsign: SNI + CloudSSL Implementation Guide, Hosting Multiple SSL on a Single IP Address
(Apache, DirectAdmin, Nginx, Reverse proxy / Load balancer Pound)
https://www.globalsign.com/resources/userguides/sni-implementation-guide.pdf
Further information
- All about SHA1 / SHA2 / SHA256 certificates
- SSL certificates: internal names / intranet and IP numbers
- Multiple Sites certificates (SSL SAN)
- Wildcard or OmniDomain certificates