I have many Apache VirtualHosts for each of which I use a dedicated SSLCertificateFile.

This is an configuration example of a VirtualHost:

<VirtualHost *:443>

     ServerName subdomain.domain.localhost

     DocumentRoot "/Users/<my_user_name>/Sites/users/public"
     RackEnv development

   <Directory "/Users/<my_user_name>/Sites/users/publ`enter code here`ic">
     Order allow,deny
     Allow from all

    # SSL Configuration
    SSLEngine on

    #Self Signed certificates
    SSLCertificateFile /private/etc/apache2/ssl/server.crt
    SSLCertificateKeyFile /private/etc/apache2/ssl/server.key
    SSLCertificateChainFile /private/etc/apache2/ssl/ca.crt


Since I am maintaining more Ruby on Rails applications using Passenger Preference Pane, this is a part of the apache2 httpd.conf file:

<IfModule passenger_module>
  NameVirtualHost *:80
  <VirtualHost *:80>
    ServerName _default_
  Include /private/etc/apache2/passenger_pane_vhosts/*.conf

Can I use a single SSLCertificateFile for all my VirtualHosts (I have heard of wildcards) instead of creating one of it for each VirtualHost? If so, how can I change the files listed above?

Accepted Answer

So you have two things to solve; how to get a cert (pub/priv) that works for all your hosts -and then next - how to arrange the vHosts and the use of strategic includes. (I am ignoring the SNI option here - do read up on that though).

For the first - you roughly have threee options - a wildcard cert (i.e. *.foo.bar.com), a cert with multiple CN's in the DN (E.g. "CN=foo.com, CN=bar.com, L=London..") or a cert with 1 or more Subject Alternative Names containing DNS names (http://playnice.ly/blog/2011/01/03/multi-domain-ucc-ssl-certificates-on-nginx-with-1-ip-address/). The latter two are good when you have just a handful of vhosts (but they can have any name; so no wildcard limits). While the wildcard is your only option when you have 10's to 100's of domains - but the downside is that they have to have a similar leaf name (though you'd be surprised how 'easy' is to get a *.com issued by accident).

Once you have one of these beass - simply include it on server level.

So next up is how to splice things from thereon - what you need here is the same setup as for an SNI host (see docs or http://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI).

To make your live easy - you could consider using 'include' snippets - or, worst case, generate the config with a small shell script (or go all out - you can include perl and the output it generates 'virtually' on the fly!).


This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki