HowTo setup Tomcat serving two SSL Certificates using SNI?

Solution 1

You need to re-read the answers to those question. SNI is not supported on the server side until Java 8. The minimum Java version that Tomcat 8 has to support is Java 7 so at the moment there i no SNI support in Tomcat.

It may be possible to optionally support SNI if Tomcat is running on Java 8 or later but that would need code changes in Tomcat for which there are currently no plans.

Update as of December 2014:

Adding SNI support is on the TODO list for Tomcat 9. That TODO list is quite long and SNI is not currently at the top of the list. As always patches are welcome.

Once SNI is implemented in Tomcat 9 it is possible that SNI support might be back-ported to Tomcat 7 and Tomcat 8. Again, patched welcome.

Update as of June 2015:

SNI has been implemented for Tomcat 9. It is supported by all three HTTP connector implementations (NIO, NIO2 and APR/native). To use SNI with NIO or NIO2 you will need to compile Tomcat 9 (a.k.a. trunk) from source. To use SNI with APR/native you will also need to compile tc-native trunk (not the 1.1.x branch currently used by the Tomcat releases).

TLS configuration has changed significantly to support SNI. Details will be in the docs web application once you have build Tomcat 9.

Update as of November 2016:

SNI support is included in Tomcat 8.5.x. It is unlikely it will be back-ported further. i.e. It is unlikely to make it to 8.0.x or 7.0.x.

Solution 2

You could setup multiple ssl certificates using the below configuration:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain1">
        <SSLHostConfig hostName="domain1" >
            <Certificate certificateKeystoreFile="conf/domain1-keystore.jks" certificateKeystorePassword="dom1keystorepwd"
                        certificateKeyPassword="dom1keypwd"
                         type="RSA" />
        </SSLHostConfig>
        <SSLHostConfig hostName="domain2" >
            <Certificate certificateKeystoreFile="conf/domain2-keystore.jks" certificateKeystorePassword="dom2keystorepwd"
                        certificateKeyPassword="dom2keypwd"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Tweak the protocol according to your necessity. You could also configure using openssl instead of jsse. Please refer https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig for further assistance

Also, defaultSSLHostConfigName is very important otherwise it wouldn't work. Select any one domain as default.

Solution 3

You could install nginx / haproxy (both supports SNI) in front of the tomcat and they will act as proxy.

Author by

nexus

I love writing code and I'm really passionate about it. Moreover I'm constantly learning. Most of the time I code in Java. My favourite Java Web Application Framework is Vaadin. You can contact me: [email protected]

Updated on July 22, 2022