SSL for sites sharing an IP address: SNI+SSL

techie-iconIPV4 addresses are in short supply and one of the most common reasons people need additional IP addresses is to supply SSL to a site. However, it is now possible to add SSL certificates to individual domains that share an IP address via Server Name Indication (SNI).

Some things need to be in place to support SNI:

  • Apache 2.2.12+
  • an OS that supports SNI (CentOS 6, RHEL 6 or CloudLinux 6 at the time of writing); specifically, it needs an OS that supports OpenSSL 0.9.8+

With those things in place it should be automatically supported – you don’t usually need to take any additional action to enable it – and you can install SSL certificates on any and all sites even though they share the same IP address. There is no requirement to buy wildcard or any other particular type of SSL certificate. Normal certificates should suffice.

There is one ‘gotcha’ you should be aware of though.

If you have a domain1.com and domain2.com on the same IP address and you install an SSL certificate on domain1.com but not on domain2.com, any visitor who goes to https://domain2.com will be directed to https://domain1.com.

What you need to do to get around this is install an SSL certificate on domain2.com. It can be a self-signed certificate but you’ll need to remember to do that for every domain you add on that IP address.

Leave a Reply