Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using multiple SSL certificates in Tomcat 7

Tags:

ssl

ssl-certificate

tomcat

tomcat7

I've been using a wildcard SSL certificate in Apache Tomcat 7. But now that I have to renew, I see there are these EV (extended verification) SSL certificates where browsers show a nice green bar so users feel better. That would be important for my site, so I want it! But I have multiple subdomains and apparently EV SSL certificates are NOT wildcard by nature. So ok, I have a set number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.

Can I set this up in Tomcat 7 so that there are multiple SSL certificates on 1 web application? It's not a problem for me to assign multiple IP addresses to this machine.

like image 604
at. Avatar asked Jun 12 '11 21:06

at.

2 Answers

Without Server Name Indication (SNI), which is not supported in Java (6), you need one certificate per IP address.

You can configure Tomcat to use multiple connectors, with different IP addresses and certificates, using the address attribute.

For example:

<Connector 
       port="8443" maxThreads="200" address="10.0.0.1"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore1.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>
<Connector 
       port="8443" maxThreads="200" address="10.0.0.2"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore2.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>

You may also be able to use the same keystore, if you need, and use the keyAlias attribute (in Connector) to tell the connector which key/certificate to use (based on the alias name in the keystore).

like image 135
Bruno Avatar answered Sep 21 '22 14:09

Bruno

I am not sure, here if "SNI" is really relevant.

But in your case, the typical solution would be so called ssloffloading or ssl Termination: i.e. put your tomcat behinde an apache, which configured to use multiple vhosts / domain names on the same ip. You could configure for each vhost in apache to use its own SSL certificate.

There is a step by step guide for this topic here:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

like image 23
user2015105 Avatar answered Sep 19 '22 14:09

user2015105
Sign in to Comment

Related questions

Docker not able to pull images behind proxy TLS handshake timeout
Using XmlRpc in C++ and Windows
Problem with getting error description after SSL_CTX_new returned NULL
SSL problem on iPhone
PayPal IPN: unable to get local issuer certificate
How can I extract a key from an SSL certificate?
Curl is unable to access github.com due to "unknown message digest algorithm"
Anyway for setting Telegram Webhook without setting up https connection
Does renewing SSL certificate require re-issuing the cert?
Reliable way to get root CA certificates on Windows
Adding a custom certificate to an OkHttp Client
Specify SSL for Heroku external MySQL database connection
Switching from http to https. Invalid certificate
SSL Error: illegal parameter alert
Mocking HTTPS responses in Go
Bower calls blocked by corporate proxy and then I get errors when updating .bowerrc
Cakephp 3 error trying to send email with gmail
Java SSL Certificate Revocation Checking
Are the cookies for PHP sessions secure?
Rails 3: Make sure the user uses https

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!