Can I host 5 sub-domain with SSL on same IP? Print

  • 0

Yes. Hosting 5 sub-domains with SSL Certificates on the same IP address is possible. It is possible with the SNI features.

If your subdomains are hosted on the Windows Server, such as Windows Server 2012 or 2016, or 2019, then you need to check the option Require server name indication to install multiple SSL Certificates on a single IP address.

SNI allows TLS to identify multiple certificates on the same IP address. This means that domains and subdomains, such as example.com and sub.example.com, don't have one over-arching certificate; they can have two certificates -- one for the primary domain and one for the subdomain. SNI allows you to certify multiple domains without using network adapters or multiple IP addresses on your servers.

How does SNI Work?

When you install an SSL Certificate on your website using the SNI feature, SNI allows a web browser to send the desired domain name at the beginning of the TLS handshake. This will allow the server hosting to find and present the correct certificate. Also, all sites running on the server can share the same IP address and port. As a result, customers will have a much better experience encrypting their websites, as they will not have to use ARIN to justify their new IP address.

Browser and Webserver that supports SNI features

Internet Explorer (Since version 7)
Edge (all versions)
Mozilla Firefox (Since version 2.0)
Google Chrome

Apache Tomcat (Not supported before 8.5)
Apache HTTP server (Since version 2.2.12)
Microsoft IIS ( Since version 8.0)
Nginx (Since version 0.5.23)

How to install multiple SSL Certificate in Apache with one IP address

To use additional SSL certificates in your server, you need to create another virtual host. As a best practice, we recommend you to secure the backup of your existing .conf file before proceeding.

You create a new virtual host file in the existing .conf file or create a new .conf file for the new virtual host. If you create a new .conf file, then you need to add the following lines to your existing .conf file.

Include my_other_site.conf

Then list the server's public IP address in the NameVirtualHost directive *:443 or any other port you use for SSL (see the example below). Then point SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to the location of each website's certificate file as shown below.

<VirtualHost *:443>
ServerName www.demovpstest.com
DocumentRoot /var/www/demovpstest.com
SSLEngine on
SSLCertificateFile /path/to/www_yoursite_com.crt
SSLCertificateKeyFile /path/to/www_yoursite_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

<VirtualHost *:443>
ServerName www.nicktest.com
DocumentRoot /var/www/nicktest.com
SSLEngine on
SSLCertificateFile /path/to/www_yoursite2_com.crt
SSLCertificateKeyFile /path/to/www_yoursite2_com.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

Important Note: Please replace www.demovpstest.com and www.nicktest.com with your website name.

Suppose you have a wildcard or multi-domain SSL certificate, all websites using the same certificate must point to the same IP address in their VirtualHost IP address:443 section, as in the following example:

<VirtualHost 192.168.2.152:443>
ServerName www.demovpstest.com
DocumentRoot /var/www/
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

<VirtualHost 192.168.2.152:443>
ServerName manage.demovpstest.com
DocumentRoot /var/www/manage
SSLEngine on
SSLCertificateFile /path/to/your_domain_name.crt
SSLCertificateKeyFile /path/to/your_private.key
SSLCertificateChainFile /path/to/DigiCertCA.crt
</VirtualHost>

Important Note: Please replace www.demovpstest.com and manage.demovpstest.com with your

Now restart the Apache service and visit the https site from a browser that supports SNI. You can access the website without any warning message if everything is set correctly. To add more than one website or SSL Certificate, you have to use the above-mentioned steps.


Was this answer helpful?

« Back

chat