Tutorial: Configure Multiple SSL Certificates with Server Name Indication (SNI) in Access Server
Learn how to configure Server Name Indication (SNI) in OpenVPN Access Server to serve multiple SSL certificates for different domain names on the same server.
Overview
Server Name Indication (SNI) allows a single Access Server instance to present different SSL certificates based on the domain name requested by the client. This makes it possible to host multiple domains on the same Access Server while serving the correct SSL certificate for each domain.
With this configuration, you can run multiple domain SSL certificates on Access Server, allowing different hostnames to use their own trusted certificates while pointing to the same server.
This tutorial explains how to configure Server Name Indication in OpenVPN Access Server using the command-line interface. After completing this configuration, your Access Server can host multiple domains with different SSL certificates, enabling secure connections for each hostname.
For example, you can configure:
vpn1.company.comto use Certificate A.vpn2.company.comto use Certificate B.The server IP address or unspecified domains to use the default certificate.
This Access Server SNI configuration is useful when:
Hosting multiple VPN portals on one server.
Serving different organizations from the same Access Server.
Using separate domain certificates for branding or compliance.
Tip
This is an advanced configuration and currently must be performed from the command line. There aren't corresponding options in the Admin Web UI.
For general information on SSL certificates in Access Server, refer to SSL Certificates on Access Server's Web Services.
Prerequisites
Before configuring multiple web certificates on Access Server, ensure you have the following:
Access Server 3.1.0 or newer.
Console access and the ability to get root access.
A domain name pointing to your Access Server for each certificate.
For each domain, the following certificate files:
SSL certificate (
.crt).Private key (
.key).CA bundle or intermediate certificate (
.ca-bundle).
Configuration Concept
Access Server always has a default SSL certificate configured. This certificate is presented when:
Users connect using the server IP address.
A domain name is requested that doesn't have a specific SNI entry.
The default certificate uses the following configuration keys:
Configuration Key | Description |
|---|---|
| Default SSL certificate |
| Private key for the default certificate |
| CA bundle for the default certificate |
Note
For managing the default certificate, refer to Tutorial: Install a Signed SSL Certificate from the Command-line Interface
How SNI works in Access Server
SNI allows Access Server to present different certificates depending on the hostname requested by the client.
Additional certificate mappings are stored under the cs.sni configuration namespace.
Each SNI configuration block includes:
Key | Description |
|---|---|
| Domain name that triggers this certificate. |
| SSL certificate |
| Private key |
| CA bundle |
Where:
Identifier = a unique name you define for the certificate set
index = a number starting at
0
Step-by-step configuration example
In this example, Access Server will serve:
Domain | Certificate |
|---|---|
| Certificate A |
| Certificate B |
Server IP or other domains | Default certificate |
Prepare the SSL certificate files for each domain that will use SNI.
Connect to your Access Server console and get root privileges.
Create directories to store the certificate files for each domain:
mkdir --parents /etc/webcerts/vpn1.company.com/ mkdir --parents /etc/webcerts/vpn2.company.com/
Upload the following files to the appropriate directory for each domain:
SSL certificate (
.crt).Private key (
.key).CA bundle or intermediate certificate (
.ca-bundle).Tip
Example directory structure:
/etc/webcerts/vpn1.company.com/vpn1.company.com.crt /etc/webcerts/vpn1.company.com/vpn1.company.com.key /etc/webcerts/vpn1.company.com/vpn1.company.com.issuer.crt
You can upload the files using:
SCP or SFTP.
A file transfer application.
wgetif downloading from a remote source.
Important
Ensure the certificates are in PEM format. Access Server doesn't support .p12 or .pfx certificate formats. You can convert files from .pfx to PEM type with the DigiCert Certificate Utility for Windows.
Configure Access Server to serve a certificate when the domain vpn1.company.com is requested.
The identifier forvpn1company is a unique label used for this SNI configuration.
Connect to the Access Server console and get root privileges.
Configure the domain name that will trigger the certificate:
sacli --key "cs.sni.forvpn1company.domains.0" --value "vpn1.company.com" ConfigPut
Configure the SSL certificate:
sacli --key "cs.sni.forvpn1company.cert" \ --value_file /etc/webcerts/vpn1.company.com/vpn1.company.com.crt \ ConfigPut
Configure the private key:
sacli --key "cs.sni.forvpn1company.priv_key" \ --value_file /etc/webcerts/vpn1.company.com/vpn1.company.com.key \ ConfigPut
Configure the CA bundle:
sacli --key "cs.sni.forvpn1company.ca_bundle" \ --value_file /etc/webcerts/vpn1.company.com/vpn1.company.com.issuer.crt \ ConfigPut
Configure a second domain, vpn2.company.com, to use a different certificate.
The identifier forvpn2company is a unique label used for this SNI configuration.
Configure the domain that will trigger the certificate:
sacli --key "cs.sni.forvpn2company.domains.0" --value "vpn2.company.com" ConfigPut
Configure the SSL certificate:
sacli --key "cs.sni.forvpn2company.cert" \ --value_file /etc/webcerts/vpn2.company.com/vpn2.company.com.crt \ ConfigPut
Configure the private key:
sacli --key "cs.sni.forvpn2company.priv_key" \ --value_file /etc/webcerts/vpn2.company.com/vpn2.company.com.key \ ConfigPut
Configure the CA bundle:
sacli --key "cs.sni.forvpn2company.ca_bundle" \ --value_file /etc/webcerts/vpn2.company.com/vpn2.company.com.issuer.crt \ ConfigPut
You can repeat this process for additional domains if your Access Server hosts multiple domains with separate SSL certificates.
Restart Access Server so the new SNI configuration is applied.
Restart the Access Server service:
sacli start
Wait for the service restart to complete before testing the configuration.
After restarting Access Server, verify that the correct SSL certificate is served for each domain.
Open a web browser and navigate to the first configured domain, https://vpn1.company.com:943.
Note
By default, Access Server web services listen on TCP port 943 (Admin and Client Web UI) and TCP port 443 for redirected HTTPS access.
Inspect the SSL certificate presented by the server. You can usually do this by clicking the padlock icon in the browser address bar.
Confirm that the certificate matches the one configured for
vpn1.company.com.Navigate to the second configured domain, https://vpn2.company.com:943.
Note
By default, Access Server web services listen on TCP port 943 (Admin and Client Web UI) and TCP port 443 for redirected HTTPS access.
Inspect the certificate again and confirm that it matches the one configured for
vpn2.company.com.Navigate to Access Server using its IP address. Example: https://203.0.113.5:943.
Verify that the default certificate is presented when accessing the server via IP address or a domain without an SNI entry.
Verify the SSL certificate is present for each domain from the command line.
Connect to the console and get root privileges.
Run the following command to check the certificate presented for the domains:
echo | openssl s_client -connect vpn1.company.com:943 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates echo | openssl s_client -connect vpn2.company.com:943 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates echo | openssl s_client -connect 203.0.113.5:943 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Example output:
root@openvpnas:~# echo | openssl s_client -connect vpn1.company.com:943 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates subject=CN = vpn1.company.com issuer=C = US, ST = NA, L = NA, O = MyOrg, OU = IT, CN = MyRootCA notBefore=Mar 12 03:43:16 2026 GMT notAfter=Jun 14 03:43:16 2028 GMT root@openvpnas:~# echo | openssl s_client -connect vpn2.company.com:943 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates subject=CN = vpn2.company.com issuer=C = US, ST = NA, L = NA, O = MyOrg, OU = IT, CN = MyRootCA notBefore=Mar 12 03:43:47 2026 GMT notAfter=Jun 14 03:43:47 2028 GMT root@openvpnas:~# echo | openssl s_client -connect 203.0.113.5:943 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates subject=CN = 203.0.113.5 issuer=CN = OpenVPN Web CA 2026.03.12 11:09:10 -05 openvpnas notBefore=Mar 11 11:09:32 2026 GMT notAfter=Mar 12 11:09:32 2027 GMT
You should receive these expected results:
vpn1.company.comshould return Certificate A.vpn2.company.comshould return Certificate B.The server IP address should return the default Access Server certificate.
If you no longer need a domain-specific certificate, you can remove the SNI configuration.
Connect to the Access Server console and get root privileges.
Delete the configuration keys associated with the SNI identifier. Example: removing the forvpn1company entry:
sacli --key "cs.sni.forvpn1company.domains.0" ConfigDel sacli --key "cs.sni.forvpn1company.cert" ConfigDel sacli --key "cs.sni.forvpn1company.priv_key" ConfigDel sacli --key "cs.sni.forvpn1company.ca_bundle" ConfigDel
Restart Access Server to apply the changes:
sacli start
Verify that the configuration was removed by navigating to the domain in a browser.
Tip
You can confirm the SNI configuration from the command line. Run the following to list all configured SNI entries and their associated domains:
sacli ConfigQuery | grep cs.sni