I have many Apache VirtualHosts for each of which I use a dedicated SSLCertificateFile.
This is an configuration example of a VirtualHost:
<VirtualHost *:443> ServerName subdomain.domain.localhost DocumentRoot "/Users/<my_user_name>/Sites/users/public" RackEnv development <Directory "/Users/<my_user_name>/Sites/users/publ`enter code here`ic"> Order allow,deny Allow from all </Directory> # SSL Configuration SSLEngine on #Self Signed certificates SSLCertificateFile /private/etc/apache2/ssl/server.crt SSLCertificateKeyFile /private/etc/apache2/ssl/server.key SSLCertificateChainFile /private/etc/apache2/ssl/ca.crt </VirtualHost>
Since I am maintaining more Ruby on Rails applications using Passenger Preference Pane, this is a part of the apache2 httpd.conf file:
<IfModule passenger_module> NameVirtualHost *:80 <VirtualHost *:80> ServerName _default_ </VirtualHost> Include /private/etc/apache2/passenger_pane_vhosts/*.conf </IfModule>
Can I use a single SSLCertificateFile for all my VirtualHosts (I have heard of wildcards) instead of creating one of it for each VirtualHost? If so, how can I change the files listed above?
So you have two things to solve; how to get a cert (pub/priv) that works for all your hosts -and then next - how to arrange the vHosts and the use of strategic includes. (I am ignoring the SNI option here - do read up on that though).
For the first - you roughly have threee options - a wildcard cert (i.e. *.foo.bar.com), a cert with multiple CN's in the DN (E.g. "CN=foo.com, CN=bar.com, L=London..") or a cert with 1 or more Subject Alternative Names containing DNS names (http://playnice.ly/blog/2011/01/03/multi-domain-ucc-ssl-certificates-on-nginx-with-1-ip-address/). The latter two are good when you have just a handful of vhosts (but they can have any name; so no wildcard limits). While the wildcard is your only option when you have 10's to 100's of domains - but the downside is that they have to have a similar leaf name (though you'd be surprised how 'easy' is to get a *.com issued by accident).
Once you have one of these beass - simply include it on server level.
So next up is how to splice things from thereon - what you need here is the same setup as for an SNI host (see docs or http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI).
To make your live easy - you could consider using 'include' snippets - or, worst case, generate the config with a small shell script (or go all out - you can include perl and the output it generates 'virtually' on the fly!).
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki