I have searched and can't find clear mentorship on serving multiple domain names via one master site name, regarding SSL. How is the industry generally doing this? NameVirtualHost directive does not apply here, I understand the difference between IP-Based and Name-Based.

I am asking this forum because I run Apache and do the SSL in Apache. I have F5 load balancers fronting too. SSL certs are currently loaded at the HTTP Server and not at the F5 network tier.

All my public domain names are currently entry points into the same site content (one HTTP Server, single DocumentRoot). The user experience is poor by having SSL mismatch prompts when https is invoked and domain name preservation with http requests.

The DNS A records of ALL domains resolve to one IP address, the main HTTP Server. This HTTP Server is obviously mismatching on the certificate and asking for acknowledgment, then evaluating, and then redirecting the client back to itself via 301/302 responses. UGLY!

I inherited many, many, many domain names and wish them to begin falling under the scope of the one primary site domain name. I wish this directly out of the HTTPS location gate, without a CN mismatch. I can account for the HTTP requests easily.

Example (hidden names and IP addresses but you get the idea):

mycompany.com (main domain) DNS: 192.168.1.10
aaa.com (owned domain) DNS: 192.168.1.10
bbb.com (owned domain) DNS: 192.168.1.10
ccc.com (owned domain) DNS: 192.168.1.10
ddd.com (owned domain) DNS: 192.168.1.10
eee.com (owned domain) DNS: 192.168.1.10
fff.com (owned domain) DNS: 192.168.1.10

All above DNS names resolve to the same IP address. If you enter an OWNED domain url ( such as aaa.com), the SSL handshake will produce a mismatch on the common name which is understandable.

I don't wish to create IP-Based <VirtualHost> containers for all possible and PURCHASE CA certificates just to load the cert, eval, and then redirect. Same goes for loading many certs in the F5 load balancer.

I guess I could burn network addresses for each and every domain and build individual vhosts or F5 VIPs to redirect. Configuration management pain at each tier. Pick your infrastructure management poison!

I have been investigating moving to subdomaining, like MAIL.domain.com, MY.domain.com, and ME.domain.com, and buying a wildcard certificate.

Due to the SSL protocol under the hood. I've start considering setting up IP-BASED virtual hosts. I am not seeing any other clear way.

Should I:

A) Create many Apache <VH> containers and buy many SSL certs to match the CN, acknowledge the certificate , and simply redirect.

B) Create F5 VIP pools, each loaded with individually matched certificates, then send a redirect back to the client.

C) Create many F5 pools and have the F5 maybe NAT, pass through or redirect blinding to backend Apache binded interfaces.

What is industry best practice for owning many domain names and serving HTTPS to one Apache instance?

Advice please

Cheers,
D