SSL certificates with multiple vhosts

One of the most common questions raised by newcomers to web server administration is: “How can I have a different SSL certificate for each name based virtual host?”

The easy answer is: “You can’t!”

The complete answer is: “You can’t, but…”

If your objective is to get a certificate valid for each host, ie. if you don’t mind sharing the same certificate for all your virtual hosts, you can use multiple CommonName’s in the same certificate

Simply edit your /etc/ssl/openssl.cnf as follows:

[ req_distinguished_name ]
[...]
0.commonName                    = Common Name (eg, YOUR name)
0.commonName_default            = www.domain1.com
0.commonName_max                        = 64
1.commonName                    = Common Name (eg, YOUR name)
1.commonName_default            = www.domain2.org
1.commonName_max                        = 64

Then issue a new certificate:

t="/etc/apache2/ssl"
mkdir $t
openssl req -nodes -new -keyout $t/private.key -out $t/server.csr
chmod 600 $t/{private.key,server.csr}

Adapt your Apache configuration so that all your virtual hosts you want to be reachable by https to use the same certificate. Reload apache and you are done!

You can test this on my own domains. Just try https://www.kirya.net and https://www.kirya.fr and study the certificate.

Another tip is to use wildcards for subdomains: I use both *.kirya.net and kirya.net as common names. This way, my main domain and all its subdomains can use this certificate.

Note that this doesn’t cause any issue with CAcert services.