I was asking the same thing just this month and this is the definitive "classical" answer: for one SSL-enabled domain, one IP address is enough. Basically, you can host any number of non-SSL virtual hosts plus one SSL virtual host on any one IP address.

Now, technically there are ways to work around that - you can have different SSL vhosts on different ports, for example, or I hear mod_ssl is coming out with something called SNI (server name identification) that allows name-based virtual hosting of multiple SSL domains a single IP. There's also a separate module, mod_gnutls (I think) that does more or less the same thing. But none of that is particularly well established, and unless you're interested in tinkering with SSL setups for the fun of it, I'd stick to one SSL domain per IP address.

:) David

And what do you know, I may have spoken too soon ;-) I was trying to configure TLS for Postfix today and came across this:
http://wiki.cacert.org/wiki/CSRGenerator?action=show&redirect=VhostsApache
Apparently they are giving a procedure for doing name-based virtual hosting with multiple SSL domains on one IP address on a single port (443). I'm not quite sure whether to believe it though . . . I think I'll have to try that at some point. I can post a reply here if I get it working, if you'd be interested.

:) David

Just thought I'd post a little update: apparently the SubjectAltName technique described in that article doesn't have much support from current browsers. What I wound up doing is just getting a plain old certificate for one domain and using that domain for all my public SSL pages. The other domains that I wanted to be SSL-secured were administrative domains that only I'd have to access, so I just configured my browser to ignore the name mismatch for those.

:) David

I didn't test it, I read it on a webpage somewhere . . . don't remember the URL, but it was dated fairly recently and it identified recent versions of several browsers that were reported not to work with SubjectAltName. I seem to remember Konqueror 3.5.7 being on the list.

:) David

Yeah, wildcards are great if you're securing a bunch of your own subdomains. Multi-domain certificates also aren't really appropriate for hosting others' domains because a) you'll have to get a new certificate every time you want to add one, and b) anyone who cares to read the certificate info can see all the domains it's set up for. Not that this last is a problem necessarily, but it might look a little unprofessional if you're hosting sites for clients. Minor privacy leak there as well.

I wonder if I could create a multi-domain certificate with a bunch of wildcards instead of listing the hostnames individually. Interesting idea. Maybe I'll try that.

I've tested a multi-domain certificate from GoDaddy all the way back to IE6 and not had a problem. I tried it in Firefox and Safari on OS X and both Firefox and IE 6/7 on Windows.