According to these two answers [1] [2] it's possible to have two SSL certificates serving from the same Apache Tomcat
using Server Name Indication (SNI).
My question is then, how to setup this? I could setup two virtual hosts but I still have then just one connector which presents the specified SSL certificate to the client. In the connector one can specify the keystore and alias to use for the certificate but there is no parameter saying for which virtual host this connector is for or which certificate he should present to the client according to the used domain.
How can I tell tomcat which SSL certificate (or to be more correct which keystore) he has to use while using SNI?
[1] https://stackoverflow.com/a/10173447
[2] https://stackoverflow.com/a/6343059
A lot of people want to know whether you can install multiple SSL certificates on a single domain. The answer is yes.
SNI is an extension for the TLS protocol (formerly known as the SSL protocol), which is used in HTTPS. It's included in the TLS/SSL handshake process in order to ensure that client devices are able to see the correct SSL certificate for the website they are trying to reach.
You need to re-read the answers to those question. SNI is not supported on the server side until Java 8. The minimum Java version that Tomcat 8 has to support is Java 7 so at the moment there i no SNI support in Tomcat.
It may be possible to optionally support SNI if Tomcat is running on Java 8 or later but that would need code changes in Tomcat for which there are currently no plans.
Update as of December 2014:
Adding SNI support is on the TODO list for Tomcat 9. That TODO list is quite long and SNI is not currently at the top of the list. As always patches are welcome.
Once SNI is implemented in Tomcat 9 it is possible that SNI support might be back-ported to Tomcat 7 and Tomcat 8. Again, patched welcome.
Update as of June 2015:
SNI has been implemented for Tomcat 9. It is supported by all three HTTP connector implementations (NIO, NIO2 and APR/native). To use SNI with NIO or NIO2 you will need to compile Tomcat 9 (a.k.a. trunk) from source. To use SNI with APR/native you will also need to compile tc-native trunk (not the 1.1.x branch currently used by the Tomcat releases).
TLS configuration has changed significantly to support SNI. Details will be in the docs web application once you have build Tomcat 9.
Update as of November 2016:
SNI support is included in Tomcat 8.5.x. It is unlikely it will be back-ported further. i.e. It is unlikely to make it to 8.0.x or 7.0.x.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With