IBM Support

IBM HTTP Server (IHS) and multiple SSL certificates with one IP address

Technote (FAQ)


How can IHS be configured for multiple SSL certificates (multiple domains) using one IP address only?


You may have the need to secure two or more different domains with SSL, but utilize a single IP address. Thus, you make use of a single (one) IP address for multiple domains with individual SSL certificates. That would mean, for example, would use IP_Address_1 and using the same IP_Adddress_1 as well.
Multiple SSL certificates using only one IP address is not supported in IHS which is Apache based.

Apache explains the reason for this limitation in this way:

The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server, the web server has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase.

There is a supported alternate option called SAN (Subject Alternative Name). It is intended to map multiple hostnames to one IP address. For information on how to obtain a SAN Certificate contact the Certificate Authority vendor of your chose.
For example: VeriSign, Entrust, GoDaddy, etc...

Related information

SSL/TSL Strong Encryption: FAQ
IBM HTTP SSL Server Questions and Answers

Document information

More support for: IBM HTTP Server

Software version: 7.0, 8.0, 8.5

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition: All Editions

Reference #: 1608745

Modified date: 11 April 2016

Translate this page: