All geek questions in one place

Using Multiple SSL Certificates in Tomcat 7

I use the SSL substitution certificate in Apache Tomcat 7. But now, when I need to upgrade, I see that these SSL certificates (advanced checks) are SSL, where browsers show a nice green bar to make users feel better. That would be important for my site, so I want it! But I have several subdomains and EV SSL certificates are apparently not wildcards. So good, I have a certain number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.

Can I install this in Tomcat 7 so that there are multiple SSL certificates in one web application? It is not a problem for me to assign multiple IP addresses to this machine.

+6
source share
4 answers

Without a server name pointer (SNI), which is not supported in Java (6), you need one certificate per IP address.

You can configure Tomcat to use multiple connectors with different IP addresses and certificates using the attribute.

For instance:

<Connector port="8443" maxThreads="200" address="10.0.0.1" scheme="https" secure="true" SSLEnabled="true" keystoreFile="keystore1.jks" keystorePass="..." clientAuth="false" sslProtocol="TLS"/> <Connector port="8443" maxThreads="200" address="10.0.0.2" scheme="https" secure="true" SSLEnabled="true" keystoreFile="keystore2.jks" keystorePass="..." clientAuth="false" sslProtocol="TLS"/>

You can also use the same key store if you need, and use the keyAlias attribute (in Connector ) to tell the connector which key / certificate to use (based on the alias name in the key store).

+11
source

I'm not sure here if "SNI" really matters.

But in your case, the typical solution would be the so-called ssloffloading or ssl Termination: i.e. put your tomcat behind apache, which is configured to use multiple vhosts / domain names on the same ip. You can configure for each vhost in apache to use its own SSL certificate.

Below is a step-by-step guide for this topic:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

+3
source

I just got this working on a server with multiple SSL and IP addresses.

Added IP in this way:
http://www.loadtestingtool.com/help/how-setup-ip.shtml

A code has been added to ensure the maximum possible server security using "ciphers" (with a key of 2048 bits).

It was tested first that it would work with self-signed keys in this way:
http://community.jboss.org/wiki/GeneratingSelfSignedCertificateWithKeytool
Please note that the test on this page has erroneous characters at the beginning of the text "-keystore" (in several places).

Here is the code:

 <Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##1" port="443" minSpareThreads="5" enableLookups="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="key1.key" keystorePass="password1" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/> <Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##2" port="443" minSpareThreads="5" enableLookups="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="key2.key" keystorePass="password2" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/> , TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA" /> <Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##1" port="443" minSpareThreads="5" enableLookups="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="key1.key" keystorePass="password1" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/> <Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##2" port="443" minSpareThreads="5" enableLookups="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="key2.key" keystorePass="password2" clientAuth="false" sslProtocol="TLS" ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
+1
source

You could just make life easier and get EV SAN (also known as UCC) and add each domain as an entry in the topic name field alternative to the topic. And if you want to use multiple IP addresses, just export the certificate and reimport to each IP address (http://www.ssltools.com/manager is great for this if you work with windows). A good example of an EV SAN certificate is the certificate found at https://www.ssl.com , just study it.

+1
source

Source: https://habr.com/ru/post/890367/

More articles:


All Articles