Creating multiple certificates for Apache-ssl

How to set up multiple ssl domains for apache. All domains must have a unique IP

In the world of Debian, you have a couple choices when you want to install Apache version 1. There's the plain apache package, but you can also apt-get the apache-ssl package. For a while I was running both-- each of these packages installs its own server for regular and SSL traffic. With apache2, it's a little different.

There's still a selection of packages for Apache2, but they pertain to the inner workings of the server. For a while I was running apache2 and apache-ssl separately, but the redundancy started to get on my nerves. Why run two server when one will do just fine? Apache2 can be set up to handle SSL, so it's just a matter of figuring out the right configuration.

That's easier said than done. The documentation on Apache2 and SSL is thin, almost invisible thin. Google searches didn't turn up much either. Here's how I got things working.

First, get yourself squared away with regular apache2. One it's up and running you've got two obstacles to cross. The first is creating your SSL certificate. In /etc/apache2/ you'll find an ssl directory with nothing in it. As root, run the command "apache2-ssl-certificate" to create a self-signed certificate. This will create two files in the ssl directory: apache.pem and some other randomly named file (mine is d41305d1.0).

If you had a real certificate, you'd skip the apache2-ssl-certificate script altogether and copy over your existing files. Regardless of where they come from I suppose you could put your certificate files anywhere you felt like putting them, but that ssl directory seems like it's there for a reason, no?

The second obstacle is getting apache acquainted with your certificate, and more broadly, persuading it that it really can understand the lingo of SSL. Unless you're incredibly interested in cipher suites, you'll probably want to do what I did: use the sample ssl file provided in /usr/share/doc/apache2/examples/ssl.conf.gz. Unzip that file, then copy it to /etc/apache2/sites/available. Run "a2ensite ssl.conf ". Also take this time to run "a2enmod ssl" if you haven't already. The first command sets up an SSL-aware virtual host, the second enables mod_ssl. Both feats are courtesy of nice Debian utility programs that create symlinks between mods-available/mods-enabled and sites-available/sites-enabled. Read the README in /etc/apache2 for more details, then feel smug at the fact that you're doing things "the Debian way".

Almost done! I found this last step to be the least obvious of them all. In ssl.conf, look for "SSLCertificateFile" and set it to the apache.pem file in /etc/apache2/ssl. A few lines down from there find SSLCertificateKeyFile and set that to the other file in the ssl directory.

Last but not least, add "Listen 443" to /etc/apache2/ports.conf.

If you restart Apache at this point, it may complain that you're using * with some of your virtual host definitions but not others. That's a quick fix: make sure your non-ssl virtual host tags all look like this:

Last update:
2012-02-06 07:27
Average rating:0 (0 Votes)

You cannot comment on this entry

Chuck Norris has counted to infinity. Twice.