SSL + Server Name Indication (SNI)

I have multiple websites hosted on the same server with Virtualmin and use name based virtual hosts in Apache to resolve different domain names. Assuming I’d like more than one of these sites to have SSL certificates (from a CA), can I use Server Name Indication (SNI) instead of IP-based mapping for the SSL?

I know that SNI has some compatibility issues with legacy browsers, but my ISP limits the number of IP addresses I can get.

Wikipedia: http://en.wikipedia.org/wiki/Server_Name_Indication

Howdy,

I don’t know much about SNI, you may need to try it and see how it goes :slight_smile:

I’m not sure if it requires any changes in how Virtualmin sets up the SSL certificates. If it does, and you discover what those are, let us know and we can look into incorporating those into future Virtualmin versions.

In the meantime though, my suggestion would be to test it out using self-signed certificates for your domains, and once you get to a point where it appears to be working, you could then look into buying your certificates from a CA.

Alternatively, UCC certificates do work. It’s one certificate that holds multiple domain names, so they follow the standard protocol of “one SSL cert per IP address”.

-Eric

I’ll give it a shot and report on how it goes.

I thought about a UCC certificate, but I’d need multiple for different servers (expensive).

In the same boat: Rackspace is now only giving 4 extra IP’s per cloud server max, so this is now REALLY important. As IPv4 address pools dry up, lots of people will need this.

So… how did it go?

SNI is now supported by Webmin/Virtualmin – the biggest catch to remember here is that it’s not supported by roughly 50% of the browsers out there today.

So, you can use it, but it won’t work for a lot of folks out there.

-Eric