IBM HTTP Server does allow a single SSL/TLS certificate to be presented for multiple virtual hosts. It allows this capability by supporting Server Alternate Names (SANs) on certificates rather than by supporting TLS Server Name Indication (SNI). (Just to be clear - no versions of IHS support SNI as of IHS version 8.5).
This article defines this capability:
IP-Based Virtual Hosting must be used if configuring multiple SSL Virtual Hosts,
but it does it in a VERY confusing way, with an even MORE confusing title. The meat of the solution is in the following text from the above article:
Exception Note: If the Keyfile uses a SAN Certificate (support for multiple domain names) Name-Based virtual hosting can be used instead. When using a SAN Certificate the first SSL VirtualHost will be used for the SSL handshake. After the handshake completes the SSL Virtualhost used for the HTTP request processing is determined by the ServerName directive that matches the host header supplied in the client requestNameVirtualHost 1.2.3.4:80NameVirtualHost 1.2.3.4:443<VirtualHost 1.2.3.4:80>ServerName www.CompanyA.comServerAdmin webmaster@CompanyA.comDocumentRoot /www/html/CompanyAErrorLog /www/logs/CompanyA/error_logTransferLog /www/logs/CompanyA/access_log</VirtualHost><VirtualHost 1.2.3.4:80>ServerName www.CompanyB.comServerAdmin webmaster@CompanyB.comDocumentRoot /www/html/CompanyBErrorLog /www/logs/CompanyB/error_logTransferLog /www/logs/CompanyB/access_log</VirtualHost><VirtualHost 1.2.3.4:443>SSLEnableSSLClientAuth noneServerName www.CompanyA.comServerAdmin webmaster@CompanyA.comDocumentRoot /www/html/CompanyAErrorLog /www/logs/CompanyA/error_logTransferLog /www/logs/CompanyA/access_log</VirtualHost><VirtualHost 1.2.3.4:443>SSLEnableSSLClientAuth noneServerName www.CompanyB.comServerAdmin webmaster@CompanyB.comDocumentRoot /www/html/CompanyBErrorLog /www/logs/CompanyB/error_logTransferLog /www/logs/CompanyB/access_log</VirtualHost>SSLDisableKeyfile /usr/lpp/HTTPServer/keys/Keyfile.kdbSSLV2Timeout 100SSLV3Timeout 1000
In this case, your keyfile (Keyfile.kdb) would only contain one server certificate.
You can view information on SAN Certificates here:
http://www-01.ibm.com/support/docview.wss?uid=swg21444027
And in case you were wondering, I'm pretty certain the above will NOT work for the Tivoli Enterprise Portal Server (TEPS) because of multiple specifications of the host name and/or IP address that must all match correctly.