Re: multiple virtual hosts and ssl certificates
> In 5.5.9 you can put all your certificates in one > keystore ... > I suggest you don't proliferate keystores unless you > really have to... Why? It seems far more manageable to me having them separate... Mmm... i don't agree. Only a keystore, only a location for it, only one password. I like the idea. -- -=-=-=-=-=-=-=-=-=-=-=-=- Andrés González. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
On 8/25/06, Paul Singleton <[EMAIL PROTECTED]> wrote: In 5.5.9 you can put all your certificates in one keystore ... I suggest you don't proliferate keystores unless you really have to... Why? It seems far more manageable to me having them separate... -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
Hassan Schroeder wrote: On 8/25/06, teknokrat <[EMAIL PROTECTED]> wrote: So lets see if i understand this correctly. I can only have multiple SSL certificates if I create different Services in server.xml pointing to different ports? No, you don't need different Services; you need a Connector and associated keystore per IP (or IP/port) that you want to secure. In 5.5.9 you can put all your certificates in one keystore (e.g. the default one for simplicity) under different aliases, then use the (still) undocumented attribute I suggest you don't proliferate keystores unless you really have to... Paul Singleton - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
On 8/25/06, teknokrat <[EMAIL PROTECTED]> wrote: So lets see if i understand this correctly. I can only have multiple SSL certificates if I create different Services in server.xml pointing to different ports? No, you don't need different Services; you need a Connector and associated keystore per IP (or IP/port) that you want to secure. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
Peter is correct - I was just being a bit lazy in my answer... The ssl connection is setup BEFORE any 'hostname' information is passed over the link, and therefore the server would not know 'which' virtual hostname's ssl certificate to use. Therefore - 1 certificate per IP Address/ Port combination. Cheers Andrew On 25/08/2006, at 12:22 PM, Peter Crowther wrote: From: Andrés González [mailto:[EMAIL PROTECTED] I mean, what are you saying? That tomcat can only have 1 ssl certificate per IP address, or that it is a "general" limitation of the architecture of SSL certificates. It is a general limitation of SSL. To be strict: you can only have one certificate per *endpoint*, that is, IP address/port combination. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
Peter Crowther wrote: From: Andrés González [mailto:[EMAIL PROTECTED] I mean, what are you saying? That tomcat can only have 1 ssl certificate per IP address, or that it is a "general" limitation of the architecture of SSL certificates. It is a general limitation of SSL. To be strict: you can only have one certificate per *endpoint*, that is, IP address/port combination. The reason is that the negotiation of the encrypted connection is done *before* the host header is sent. Therefore the server has to deduce which certificate to send without knowing which Web site the client wishes to access. Therefore the server always sends the one certificate that you have associated with that endpoint. If you don't mind URLs of the form https://myserver.example:8443/somepage then you can have multiple certificates per IP address, and indeed per Tomcat. But the sites need to be served on different ports. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] So lets see if i understand this correctly. I can only have multiple SSL certificates if I create different Services in server.xml pointing to different ports? Do I need to have different keystores for each connector too? How do hosting providers manage to host multiple hosts each with their own ssl certificate? Doesn't this make the virtual hosts element a bit limited if only one of them can be secured? cheers - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: multiple virtual hosts and ssl certificates
> From: Andrés González [mailto:[EMAIL PROTECTED] > I mean, what are you saying? That tomcat can only have 1 ssl > certificate per IP address, or that it is a "general" limitation of > the architecture of SSL certificates. It is a general limitation of SSL. To be strict: you can only have one certificate per *endpoint*, that is, IP address/port combination. The reason is that the negotiation of the encrypted connection is done *before* the host header is sent. Therefore the server has to deduce which certificate to send without knowing which Web site the client wishes to access. Therefore the server always sends the one certificate that you have associated with that endpoint. If you don't mind URLs of the form https://myserver.example:8443/somepage then you can have multiple certificates per IP address, and indeed per Tomcat. But the sites need to be served on different ports. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
You can set 1 ssl certificate for each port over the same ip. ie: https://domain1.com/ takes default ssl port 443 and one cert. https://domain2.com:10443/ takes another cert. etc... So you must listen ssl conexion on each port that you need And take a look at http://wiki.cacert.org/wiki/VhostTaskForce Andrew Miehs wrote: You can only have 1 ssl certificate per IP address Andrew On 25/08/2006, at 11:09 AM, teknokrat wrote: I am trying to set up tomcat with multiple virtual hosts, each with their own SSL certificate. Is this possible? Do I add each certificate to the main keystore as per one host? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
Andrew (hi namesake :)): are you sure of that? I mean, what are you saying? That tomcat can only have 1 ssl certificate per IP address, or that it is a "general" limitation of the architecture of SSL certificates. As far as i know hoy can have one ssl certificate per domain, and so more than one ssl certificate per IP address... In the tomcat i guess you could configure various "Service" elements, with a different trustStoreFile for each one. Am i wrong? On 8/25/06, Andrew Miehs <[EMAIL PROTECTED]> wrote: You can only have 1 ssl certificate per IP address Andrew On 25/08/2006, at 11:09 AM, teknokrat wrote: > I am trying to set up tomcat with multiple virtual hosts, each with > their own SSL certificate. Is this possible? Do I add each > certificate to the main keystore as per one host? > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- -=-=-=-=-=-=-=-=-=-=-=-=- Andrés González. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: multiple virtual hosts and ssl certificates
You can only have 1 ssl certificate per IP address Andrew On 25/08/2006, at 11:09 AM, teknokrat wrote: I am trying to set up tomcat with multiple virtual hosts, each with their own SSL certificate. Is this possible? Do I add each certificate to the main keystore as per one host? - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
