Re: Multiple SSL certificates on same server

Mon, 08 Mar 2010 16:49:37 -0800 

On 03/08/2010 06:46 PM, Richard Huntrods wrote:

Does anyone know if it is possible, or has anyone done this:
I have two applications running on a single server. The applications use different domains and URLs, so the single Tomcat instance can easily tell them apart. (Note: this part is currently working just fine). 

https://domain1/application1
https://domain2/application2
Again, both domains point to the same static IP, and yes, it is possible for someone to access either application from either domain. Normally, that is not an issue with the clients.
However, I currently have only one SSL certificate on the server - this is for domain1. So if you use domain1 to access application1, it's all fine. The security cert comes up green and all that.
BUT - if you try and access application2 via domain2, you get the red security cert (wrong domain / server name). I would like to purchase a second certificate for the second domain, and am wondering if this can be done, and how one would tell Tomcat (in server.xml) to acknowledge the second certificate. 

Currently the stuff in server.xml looks like this:

<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" enableLookups="false" scheme="https" secure="true" 
              keystoreFile="./keys/.keystore" keystorePass="myPassword"
              clientAuth="false" sslProtocol="TLS" />


I have a bad feeling it's not possible, but wanted to ask anyway.

Thanks in advance.

-R



Richard,

It's possible.
It doesn't appear that Tomcat or Java(SUN) support RFC 3546 just yet (For Server Name Indication) even though Apache httpd does. However Windows XP users of IE will not be able to take advantage of SNI at this time anyway (to further rain on your parade). Vista and greater do make use of SNI though. Gotta wait for XP to die I guess. :-P
End result: Multi-Domain Certificate, separate ports, separate IPs or a load balancer that distributes the load to an internal IP based on FQDN, to which you could then use X amount of different SSL certs.(This last bit may be a wee bit complicated) 

Hope this helps




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to