IBM HTTP Server (IHS) and multiple SSL certificates with one IP address
How can IHS be configured for multiple SSL certificates (multiple domains) using one IP address only?
You may have the need to secure two or more different domains with SSL, but utilize a single IP address. Thus, you make use of a single (one) IP address for multiple domains with individual SSL certificates. That would mean, for example, www.abc.com would use IP_Address_1 and www.xyz.com using the same IP_Adddress_1 as well.
Multiple SSL certificates using only one IP address is not supported in IHS which is Apache based.
Apache explains the reason for this limitation in this way:
The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server, the web server has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase.
There is a supported alternate option called SAN (Subject Alternative Name). It is intended to map multiple hostnames to one IP address. For information on how to obtain a SAN Certificate contact the Certificate Authority vendor of your chose.
For example: VeriSign, Entrust, GoDaddy, etc...
More support for:
IBM HTTP Server
Software version: 7.0, 8.0, 8.5
Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows
Software edition: All Editions
Reference #: 1608745
Modified date: 11 April 2016
Translate this page: