Apache + SSL Multi-domain Configuration

multidomain.ssl.txt

# Description
Piecing together lots of information from different sources, this covers setup and configuration for:

1. Creating a self-signed, mulit-domain certificate for a development environment running OS X.
2. Generating a multi-domain certificate signing request (CSR) for staging/production environments running on CentOS 7.
3. Installing certificate and Apache configuration.

This assumes all environments are running OpenSSL v.0.9.8f or later and Apache 2 with Server Name Indication (SNI) support. SNI is the bit of magic that allows one certificate to be valid to use with Virtual Hosts with different domains on one server. See Apache configuration link in the Sources section below for more information and a much better explanation on how it all works.

# Development
As of this writing, this worked on Mac OS X El Capitan running a LAMP stack configured through Macports.

## Creating a Self-signed, Multi-domain Certificate

### Edit openssl.cnf

1. File location: `/opt/local/etc/openssl/openssl.cnf`.
2. Make a copy of openssl.cnf—this is your backup.
3. Find the `[req]` section in openssl.cnf.
4. Make sure `x509_extensions = v3_ca` is uncommented.
5. Find the `[v3_ca]` section.
6. Add:
	`subjectAltName = @alt_names`
	`[alt_names]`
	`DNS.1 = primary-domain.org`
	`DNS.2 = a-different-domain.org`
	`DNS.3 = another-domain.org`
	`DNS.4 = etc.org`

### Generate Key and Certificate

1. In the Terminal, `cd` to the directory to store the self-signed certificate and key.
2. Run `openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout server.key -out server.crt`
3. Confirm cert, run: `openssl x509 -in server.crt -text -noout | more`

Note:
"server".key and "server".csr should be a name that makes sense to you. For example, "your-primary-domain.key" and "your-primary-domain.csr".


# Staging/Production
For these environments, a self-signed certificate is probably not a good choice and you'll have to generate a Certificate Signing Request (CSR) on your server; submit that to a Certificate Authority (CA) for authentication and verification; which will then give you your Certificate be uploaded to your server.

## Generate the CSR
We choose a domain-validation (DO) multi-domain certificate from Comodo via Namecheap.com because it was the least expensive option. I don't know if the following works with another CA.

Unlike on development, we do not need to edit the openssl.cnf file. Instead, run this command in the directory where you want your CSR and Key to reside:

`openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr`

Again, "server".key and "server".csr should be a name that makes sense to you. For example, "your-primary-domain.key" and "your-primary-domain.csr".

Note: You will enter each additional domains you want covered in the Certificate through Namecheap's CSR submission process. When generating the CSR on the server, you can only specify one domain name so this should be the primary domain on your server.

Additionally, during the CSR submission process to the Certificate Authority (see the next section below), unlike a single-domain certificate, if you need it, you'll need to specify both domain.org and www.domain.org—essentially, don't forget to count all sub-domains needed.


## Submit CSR to the CA
Submitting and getting verified by the CA is a very simple and fast process if using the domain-only verification process, as opposed to the Organization Verification (OV) process. Before submitting the CSR, make sure at least one email address in __all__ your domains can reach you. This info is what the CA will use to verify ownership of the domains you want covered in the Certificate.


# Apache Configuration

## Edit httpd-ssl.conf

1. Copy the original `httpd-ssl.conf` file—this is your backup.
2. Add `SSLStrictSNIVHostCheck off` to the SSL config file.
3. Change `<VirtualHost _default_:443>` to `<VirtualHost *:443>`
4. Set the default domain on port 443 inside the VirtualHost directive:
	`ServerName primary-domain.org`
	`DocumentRoot /path/to/site/webroot`

Note on the above: ServerName in the ssl.conf file must match the ServerName in Apache's main configuration file, httpd.conf. Otherwise, Apache will send a warning message to clients. Not fatal but some web services, like Twitter cards, will fail.

Optionally, set your Directory options, especially if you're using .htaccess:
	`<Directory /path/to/site/webroot>`
		`Options FollowSymLinks MultiViews`
		`AllowOverride All`
	`</Directory>`

Additionally, set at least an error log, too:
	`ErrorLog /var/log/httpd/primary-domaain-org-error.log`

### Security Fixes

Make sure SSLv2 and SSLv3 are not used:
`SSLProtocol All -SSLv2 -SSLv3`

Be very specific about which ciphers to use; add:
`SSLHonorCipherOrder on`

`SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS`

## Edit Other VirtualHosts files

For each domain, add:
	`<VirtualHost *:443>`
		`SSLEngine on`
		`SSLCertificateFile "/path/to/cert/server.crt"`
		`SSLCertificateKeyFile "/path/to/cert/server.key"`

		`ServerAdmin [email protected]`
		`ServerName other-domain.org`

		`DocumentRoot /path/to/other/site/webroot/`

		`<Directory /path/to/other/site/webroot>`
			`Options FollowSymLinks MultiViews`
			`AllowOverride All`
		`</Directory>`
		
		`ErrorLog /var/log/httpd/bsr16.org-error.log`
	`</VirtualHost>`

# Testing

There are a number of openssl security issues and the stock Apache ssl.conf file may also have issues so testing is highly recommended:
https://www.ssllabs.com/ssltest 


# Sources/Thank You

## For Self-Signed Certificates
http://fbcs.co.uk/self-signed-multiple-domain-ssl-certificates

## For Apache configuration
https://wiki.apache.org/httpd/NameBasedSSLVHostsWithSNI

## OpenSSL Issues and Fixes
https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/