IBM HTTP Server (IHS) and multiple SSL certificates with one IP address

Technote (FAQ)


Question

How can IHS be configured for multiple SSL certificates (multiple domains) using one IP address only?

Answer

You may have the need to secure two or more different domains with SSL, but utilize a single IP address. Thus, you make use of a single (one) IP address for multiple domains with individual SSL certificates. That would mean, for example, www.abc.com would use IP_Address_1 and www.xyz.com using the same IP_Adddress_1 as well.

Multiple SSL certificates using only one IP address is not supported in IHS which is Apache based.

Apache explains the reason for this limitation in this way:

The SSL protocol layer stays below the HTTP protocol layer and encapsulates HTTP. When an SSL connection (HTTPS) is established mod_ssl has to negotiate the SSL protocol parameters with the client. For this, mod_ssl has to consult the configuration of the virtual server (for instance it has to look for the cipher suite, the server certificate, etc.). But in order to go to the correct virtual server, the web server has to know the Host HTTP header field. To do this, the HTTP request header has to be read. This cannot be done before the SSL handshake is finished, but the information is needed in order to complete the SSL handshake phase.

There is a supported alternate option called SAN (Subject Alternative Name). It is intended to map multiple hostnames to one IP address. Refer "Related URL" section below for instructions.


Related information

SSL/TSL Strong Encryption: FAQ
IBM HTTP SSL Server Questions and Answers
SSL SAN certificates and IBM HTTP Server

Rate this page:

(0 users)Average rating

Document information


More support for:

IBM HTTP Server
SSL

Software version:

6.1, 7.0, 8.0

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows

Software edition:

All Editions

Reference #:

1608745

Modified date:

2012-10-03

Translate my page

Machine Translation

Content navigation