When hosting multiple websites or applications on a single NGINX server, enabling HTTPS for each domain is essential for security and SEO. With Server Name Indication (SNI), NGINX can serve different SSL certificates based on the requested hostname, allowing multiple domains to coexist securely on a single IP address.

In this blog, we’ll walk you through the complete process of installing and configuring SSL certificates on NGINX with SNI and multi-domain support. We’ll also explain the importance of SNI, show configuration examples, and highlight key considerations to ensure smooth SSL implementation.

What Is SNI?

Server Name Indication (SNI) is an extension to the TLS protocol that allows a client (like a browser) to specify the hostname it’s connecting to during the handshake. This enables the server to present the correct SSL certificate for that specific domain, even if multiple domains share the same IP address.

Without SNI, hosting multiple HTTPS websites on one server with a single IP address wouldn’t be possible without a wildcard or SAN certificate. SNI resolves that by enabling per-domain SSL configurations.

Supported Clients:
SNI is supported by nearly all modern browsers and operating systems, including Chrome, Firefox, Edge, Safari, and mobile devices. However, it's good to note that very old browsers (e.g., IE on Windows XP) don’t support it.

Prerequisites

Before we begin, make sure:

1. You have root or sudo access to your server.

2. NGINX is installed (nginx -v to check).

3. You own multiple domain names and have valid SSL certificates for each.

4. Your server OS supports OpenSSL (most do).

Step 1: Obtain SSL Certificates

There are two main ways to get SSL certificates for your domains:

Option A: Use Let’s Encrypt (Free, Automated)

Install Certbot, Let’s Encrypt’s official client:

sudo apt install certbot python3-certbot-nginx

Then run:

sudo certbot --nginx -d example.com -d www.example.com

Repeat for other domains:

sudo certbot --nginx -d example2.com -d www.example2.com

Option B: Use Commercial SSL Certificates

If you bought a certificate from a Certificate Authority (like Certera or SignMyCode), you'll receive:

1. A certificate file (example_com.crt)

2. A private key (example_com.key)

3. A CA bundle or intermediate file

You’ll manually place them in /etc/ssl/certs/ and /etc/ssl/private/ respectively.

Step 2: Configure NGINX for Each Domain

With SSL certificates in place, it’s time to configure NGINX to respond to each domain over HTTPS using SNI.

Here’s an example NGINX configuration for two domains: example.com and example2.com.

Configuration:

 # Domain 1 server { listen 443 ssl; server_name example.com www.example.com; ssl_certificate /etc/ssl/certs/example_com.crt; ssl_certificate_key /etc/ssl/private/example_com.key; ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt; location / { root /var/www/example.com; index index.html; } } # Domain 2 server { listen 443 ssl; server_name example2.com www.example2.com; ssl_certificate /etc/ssl/certs/example2_com.crt; ssl_certificate_key /etc/ssl/private/example2_com.key; ssl_trusted_certificate /etc/ssl/certs/ca_bundle.crt; location / { root /var/www/example2.com; index index.html; } }

Make sure both domain names are correctly resolving to your server’s IP (via DNS A or CNAME records).

Step 3: Enable HTTP to HTTPS Redirect (Optional but Recommended)

To ensure all traffic uses HTTPS, redirect HTTP to HTTPS using an additional server block:

server { listen 80; server_name example.com www.example.com; return 301 https://$host$request_uri; }

Do the same for all domains you host.

Step 4: Test the Configuration

Run the following command to test for syntax errors:

sudo nginx -t

If everything is OK, reload NGINX:

sudo systemctl reload nginx

Now visit https://example.com and https://example2.com in your browser—you should see valid SSL padlocks and the correct site content.

Example Table: SNI Configuration Summary

Here’s a quick reference table to understand how SSL is handled with SNI on NGINX.

DomainCertificate FilePrivate Key FileRoot Directoryexample.com/etc/ssl/certs/example.crt/etc/ssl/private/example.key/var/www/example.comexample2.com/etc/ssl/certs/example2.crt/etc/ssl/private/example2.key/var/www/example2.com

Troubleshooting Tips

1. Port 443 Not Open: Ensure your firewall allows traffic on port 443.

2. Incorrect Certificate: Double-check that the certificate matches the domain.

3. Missing Intermediate CA: If the browser shows a warning about trust, add the CA bundle using ssl_trusted_certificate.

4. Permissions: Ensure that .key files are readable only by root (chmod 600).

Best Practices

1. Use Strong Ciphers and TLS Settings: Harden your SSL configuration for better security by using Mozilla SSL Configuration Generator.

2. Set up Auto-Renewal: Use cron jobs or Certbot’s timer to automatically renew certificates every 60–90 days.

3. Monitor Expiration Dates: Set reminders if you use commercial SSL certificates.

Final Thoughts

Using SNI with NGINX is a powerful way to host multiple secure domains on a single server without needing multiple IP addresses. Whether you're running a multi-tenant SaaS platform or simply consolidating personal projects, this approach simplifies SSL management and improves scalability.

If you want automated certificate provisioning and renewal, Let’s Encrypt is great for most use cases. For higher-trust or enterprise-grade needs, commercial certificates like those from Certera offer better validation, warranties, and support.

Want help automating your multi-domain SSL deployment with NGINX? Drop us a message—we’ll be happy to assist!