0
0
Nginxdevops~10 mins

SNI for multiple SSL certificates in Nginx - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - SNI for multiple SSL certificates
Client connects to server
Client sends hostname in TLS handshake (SNI)
Server reads SNI hostname
Server selects matching SSL certificate
Server completes TLS handshake with selected cert
Secure connection established
Server serves content for requested hostname
The server uses the hostname sent by the client during TLS handshake (SNI) to pick the right SSL certificate and establish a secure connection.
Execution Sample
Nginx
server {
  listen 443 ssl;
  server_name example.com;
  ssl_certificate /etc/ssl/example.com.crt;
  ssl_certificate_key /etc/ssl/example.com.key;
}

server {
  listen 443 ssl;
  server_name test.com;
  ssl_certificate /etc/ssl/test.com.crt;
  ssl_certificate_key /etc/ssl/test.com.key;
}
Two server blocks listen on port 443 with SSL, each serving a different domain with its own SSL certificate using SNI.
Process Table
StepClient Hostname (SNI)Server ActionSSL Certificate SelectedConnection Outcome
1example.comReads SNI hostname 'example.com'/etc/ssl/example.com.crtTLS handshake completes with example.com cert
2test.comReads SNI hostname 'test.com'/etc/ssl/test.com.crtTLS handshake completes with test.com cert
3unknown.comReads SNI hostname 'unknown.com'Default or no matching certTLS handshake may fail or use default cert
4-No more connections-Execution stops
💡 No more client connections to process
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3Final
Client Hostname (SNI)-example.comtest.comunknown.com-
Selected SSL Certificate-/etc/ssl/example.com.crt/etc/ssl/test.com.crtDefault or none-
Connection Status-SuccessSuccessFail or default-
Key Moments - 2 Insights
Why does the server need the client to send the hostname during TLS handshake?
Because the server uses the hostname from SNI to pick the correct SSL certificate before completing the handshake, as shown in execution_table steps 1 and 2.
What happens if the client sends a hostname that the server does not have a certificate for?
The server either uses a default certificate or the handshake fails, as seen in execution_table step 3 where 'unknown.com' has no matching cert.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, which SSL certificate is selected when the client sends 'test.com'?
ADefault or no matching cert
B/etc/ssl/test.com.crt
C/etc/ssl/example.com.crt
DNo certificate selected
💡 Hint
Check the row where Client Hostname is 'test.com' in the execution_table.
At which step does the TLS handshake possibly fail due to no matching certificate?
AStep 3
BStep 2
CStep 1
DStep 4
💡 Hint
Look for the step with 'unknown.com' hostname in the execution_table.
If the server did not use SNI, what would happen when multiple SSL certificates are configured?
AServer picks the right certificate automatically
BServer rejects all connections
CServer uses only one certificate for all hostnames
DServer sends all certificates to client
💡 Hint
Think about why SNI is needed as explained in key_moments and concept_flow.
Concept Snapshot
SNI allows a server to use multiple SSL certificates on one IP.
Client sends hostname during TLS handshake.
Server reads hostname and selects matching certificate.
Without SNI, only one certificate can be used per IP.
Configured in nginx with multiple server blocks on port 443.
Each server block has its own ssl_certificate and ssl_certificate_key.
Full Transcript
When a client connects to a server using HTTPS, it sends the hostname it wants to reach during the TLS handshake using a feature called SNI. The server reads this hostname and chooses the correct SSL certificate to use for that connection. This allows one server IP to serve many domains securely with different certificates. In nginx, this is done by creating multiple server blocks listening on port 443 with ssl enabled, each specifying its own server_name and SSL certificate files. If the client sends a hostname that the server does not recognize, the server may use a default certificate or the handshake may fail. Without SNI, the server can only use one certificate per IP address, limiting hosting multiple secure sites on the same IP.