Hi > Wait a second...Tomcat will determine which cert to send down > based upon the IP address that the browser went to? I guess > that makes sense...so does the web server never get to see > what domain the browser was looking up to come to the site, > or is that info available?
That info is available, but already encrypted. > I'm just trying to figure out if there's a way to run the > website for a limited time with 2 domains and 2 certs--I > mean, the 2 domains, each with their own cert, but with one > single public IP address. One single public IP will NOT work. Forget it. > We have a bigIP load balancer in > front of our Tomcat servers...so do our Tomcat servers still > see the public IP address that was used to reach them? I think not, but I dunno. > I ask > because those boxes only have private IPs, and the load > balancer has the only public IP. > > If there's no way to do it, then I guess we just arbitrarily > switch at some point and don't worry about the people using > the old domain seeing invalid certificate messages... You'll need to. What happens with https is: a) The client get's the ip for the domain by dns lookup. b) The client connects to that ip and immediately get's the server's cert. c) The client encrypts the page request (including headers and a one time key) and sends this encryped. d) The server decrypts that request. (it know's the private key of the cert sent in b.) e) The server sends the response encrypted with the one time key of c. f) The lcient decrypts the response. (it know's the one time key send in c.) Basically the server sees the ip the client connects to and must supply a cert. Only after step d, when the server decrypted the request, it knows about the domain name. You see, no change to go with two certs. HOWEVER, for x509 email-certs extensions where developed which allow more then one address per cert. Maybe there are extensions for Server-certs that allow more then one domain name. If you get two domain names in one cert, you shoud be ready to go. Additionally newer versions of SSL/TLS support other kinds of authentication algorithms that are designed to allow more then one cert per ip. Exspecially they transmit domain names before they transmit the cert. Regards, Steffen
smime.p7s
Description: S/MIME cryptographic signature
