stackoom
  简体   繁体   中英

Using multiple SSL certificates in single tomcat instance

 原文  2012-04-16 11:30:21       tomcat/ ssl

Question

I know that tomcat can handle multiple SSL certificates by setting up multiple Connectors listening on different IP's, but is it possible to set it up on the same IP?

The situation is that we have multiple web applications running in a single tomcat instance. Our server has only 1 static IP. Tomcat is set up to have Virtual Servers, so depending on the domain it serves a different app. However, if we want SSL in more that one of these apps, I predict we might run into trouble.

Does anyone have more experience in this field?

3 answers

solution1
 5 ACCPTED  2012-04-16 11:44:34

To be able to use multiple certificates on the same IP address and port, you need Server Name Indication support. Unfortunately, this was introduced in Java 7, only on the client side .

(There are still problems wrt SNI support on the client side, most notably because of lack of support from any version of IE on Win XP, Java 6 and below, and some mobile browsers.)

A workaround for this is to use a single certificate that supports multiple host names. The preferred way to do this is to have a certificate with multiple Subject Alternative Name (SAN) entries. Otherwise, if the names have a pattern, a wildcard certificate may be suitable (eg *.example.com for www.example.com and secure.example.com ).

Apache Httpd has support for SNI , so you may be able to solve your problem by using distinct VirtualHost s for each host name you want to serve and use a reverse proxy to a different Tomcat configuration for each host.

solution2
 1  2012-04-16 12:20:16

I don't believe you will get away with 1 ip address, but you may use multiple ports 

<Connector
       port="9001" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS"/>
-->

then https:9001//myurl

for your connections I would personally front it off to an apache httpd reverse proxy server though as it gives you way more flexibility and not a little security when properly configured

solution3
 0  2013-01-27 07:25:48

I am not sure, here if "SNI" is really relevant.

But in your case, the typical solution would be so called ssloffloading or ssl Termination: ie put your tomcat behinde an apache, which configured to use multiple vhosts / domain names on the same ip. You could configure for each vhost in apache to use its own SSL certificate.

There is a step by step guide for this topic here:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using multiple SSL certificates in Tomcat 7 Multiple Certificates In Single Keystore & One Tomcat Instance AWS Single Instance Tomcat SSL Multiple ssl certificates for different domaines in Spring boot or tomcat Multiple HTTPS Connectors in Tomcat using different certificates HowTo setup Tomcat serving two SSL Certificates using SNI? Import ssl certificates to Apache Tomcat Configuring SSL certificate to SINGLE Elastic Beanstalk TOMCAT instance Multiple apps on a single tomcat and postgres instance? WAR in single Tomcat instance and multiple ports
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM