Multiple SSL Certificates on a Single IP Using Nginx

SNI ( Server Name Identification) allows you to host multiple SSL certificates on a single IP address. Although, hosting several sites on a single virtual private server is possible with the use of virtual hosts, providing separate SSL certificates for each site traditionally required separate IP addresses. The process has now been simplified through the use of Server Name Indication (SNI), which sends a site visitor the certificate that matches the requested server name.

Requirements

1. Domain names should be registered in order to serve the certificates by SNI.

2. Root Privileges to the server.

3. Nginx should already be installed and running on your VPS

To install Nginx:

# sudo apt-get install nginx

4. Make sure that SNI is enabled in the server

# nginx -V ; which displays the version and the status.

Set up

1. Create the SSL certificate Directory

For easy understanding, I will be working to create a server that hosts both example.com and example.org.

The SSL certificate has 2 parts main parts: the certificate itself and the public key. We should create a directory for each virtual hosts SSL certificate.

# mkdir -p /etc/nginx/ssl/example.com
# mkdir -p /etc/nginx/ssl/example.org

2. Create the Server Key and Certificate Signing Request

First, we create SSL certificate for example.com

  # cd /etc/nginx/ssl/example.com

Now, create the private server key. You will be asked to enter a pass-phrase, which is needed later to access the certificate.

  # sudo openssl genrsa -des3 -out server.key 1024

Create certificate signing request :

# sudo openssl req -new -key server.key -out server.csr

This will prompt terminal to display a lists of fields that need to be filled in.

3. Remove the Passphrase

We need to remove the passphrase. Although having the passphrase in place does provide heightened security, the issue starts when one tries to reload nginx. In the event that nginx crashes or needs to reboot, you will always have to re-enter your passphrase to get your entire web server back online.

# sudo cp server.key server.key.org
# sudo openssl rsa -in server.key.org -out server.key

4. Sign your SSL Certificate

# sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

This certificate will expire after one year.

We have done with the certificate in the first host.

To create the certificate in the first host : switch the directory

# cd /etc/nginx/ssl/example.org

Repeat the previous three steps for the second certificate. Once it is finished, we can start adding the certificates to your virtual hosts.

5. Create the Virtual Hosts

Once we have the certificates saved, we can add in our information in the virtual host file.

server {

listen 443;

server_name example.com;

root /usr/share/nginx/www;

index index.html index.htm;

ssl on;

ssl_certificate /etc/nginx/ssl/example.com/server.crt;

ssl_certificate_key /etc/nginx/ssl/example.com/server.key;

}

Each file will then contain the virtual host configuration as follows:

server {

listen 443;

server_name example.com;

root /usr/share/nginx/www;

index index.html index.htm;

ssl on;

ssl_certificate /etc/nginx/ssl/example.com/server.crt;

ssl_certificate_key /etc/nginx/ssl/example.com/server.key;

}

Make sure that you have updated server_name, ssl_certificate, and ssl_certificate_key lines to match your details.

Do the same for the second account :

# sudo nano /etc/nginx/sites-available/example.org

server {

listen 443;

server_name example.org;

root {Specify the document root for example.org};

index index.html index.htm;

ssl on;

ssl_certificate /etc/nginx/ssl/example.org/server.crt;

ssl_certificate_key /etc/nginx/ssl/example.org/server.key;

}

6. Activate the Virtual Hosts

Now, activate the hosts by creating a symbolic link between the sites-available directory and the sites-enabled directory.

# sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/example.com
# sudo ln -s /etc/nginx/sites-available/example.org /etc/nginx/sites-enabled/example.org

7. Restart nginx

# sudo service nginx restart

You should now be able to access both sites, each with its own domain name and SSL certificate.

If you require help, contact SupportPRO Server Admin

Server not running properly? Get A FREE Server Checkup By Expert Server Admins - $125 Value

Leave a Reply