Is it possible to have severals keys/certificates on a virtualhost in Apache 2?

Question

I would like to know how I can configure my Apache 2 (version 2.0.64) to use multiple key/certificate pairs for mutual authentication.

More precisely, I have configured my apache to accept SSL connections on port 443 by using this config:

<VirtualHost _default_:443>
     SSLEngine on
     SSLCertificateFile certs/mycert.crt
     SSLCertificateKeyFile certs/mykey.key
     SSLCACertificateFile certs/ca.crt
     .....
</VirtualHost>

I have 2 aliases, let say:

https://myserver/project1
https://myserver/project2

I would like to use different key/certificate pairs (than mykey.key/mycert.crt) to authenticate client that connect to my 2nd URL (https://myserver/project2).

I tried with the <Location> and <LocationMatch> directives, but SSL directives do not seem to be supported under theses ones.

How can this be done?

score 1 · Accepted Answer · answered Apr 28 '11 at 16:06

1

There is an extension named Service Name Indication (aka SNI) in TLS. The TLS client indicates the name of the server it is connected to; therefore the server is able to select the correct key and certificate to use.

According to the SNI wikipedia page both Apache 2 modules mod_ssl and mod_gnutls seems to support this extension and also numerous web clients

An Apache 2 configuration tutorial is available here: http://en.gentoo-wiki.com/wiki/Apache2/SSL_and_Name_Based_Virtual_Hosts

answered Apr 28 '11 at 16:06

Jcs

13,279
5
53
70

Hi Jcs, thanks for your response. Effectively, i did see that link but it's not really correspond to my needs. – tunix2fr May 02 '11 at 08:01
Because my Apache use mod_jk to dispatch requests to several application servers in JAVA JEE. So that i do not have several domain names but Alias. In fact, I would exect to have some kind of config like `SSLCertificateKeyfile .... SSLCertificateFile ` for each project. Tell me if it doesn't seem clear for you. Thanks. – tunix2fr May 02 '11 at 08:13
Do you have one single domain name but you want to use different server certificate based on the URL path. I don't think it is possible since the URL path is not sent by the client until the TLS handshake is done. – Jcs May 02 '11 at 09:18

score 0 · Answer 2 · answered Jun 14 '11 at 07:21

0

Possibles solutions to do have SNI with apache2:

Upgrade apache2 to version 2.2.x
Compile/Install gnutls with apache2

answered Jun 14 '11 at 07:21

tunix2fr

381
3
9

Is it possible to have severals keys/certificates on a virtualhost in Apache 2?

2 Answers2