Using multiple SSL certificates in Tomcat 7

ssl ssl-certificate tomcat7 tomcat

26,599

Solution 1

Without Server Name Indication (SNI), which is not supported in Java (6), you need one certificate per IP address.

You can configure Tomcat to use multiple connectors, with different IP addresses and certificates, using the address attribute.

For example:

<Connector 
       port="8443" maxThreads="200" address="10.0.0.1"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore1.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>
<Connector 
       port="8443" maxThreads="200" address="10.0.0.2"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore2.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>

You may also be able to use the same keystore, if you need, and use the keyAlias attribute (in Connector) to tell the connector which key/certificate to use (based on the alias name in the keystore).

Solution 2

I am not sure, here if "SNI" is really relevant.

But in your case, the typical solution would be so called ssloffloading or ssl Termination: i.e. put your tomcat behinde an apache, which configured to use multiple vhosts / domain names on the same ip. You could configure for each vhost in apache to use its own SSL certificate.

There is a step by step guide for this topic here:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

Solution 3

I am using tomcat 8.5 and now it is possible to configure tomcat with multiple SSL/ multi domain. Here is my config.

    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
           defaultSSLHostConfigName="localhost" >

    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig hostName="localhost">
        <Certificate certificateKeyFile="/$path/privkey.pem"
                     certificateFile="/$path/certificate.pem"
                     certificateChainFile="/$path/chain.pem"
                     type="RSA" />
    </SSLHostConfig>
       <SSLHostConfig hostName="domainname.com">
        <Certificate certificateKeyFile="/$path/privkey.pem"
                     certificateFile="/$path/certificate.pem"
                     certificateChainFile="/$path/chain.pem"
                     type="RSA" />
    </SSLHostConfig>

</Connector>

Solution 4

I have just got this to work on a server with multiple SSL's and IP's.

Added IP's this way:
http://www.loadtestingtool.com/help/how-setup-ip.shtml

Added code to make the server use maximum possible security with the "ciphers" (when having a 2048bit key).

Tested first that this will work with self-signed keys this way:
http://community.jboss.org/wiki/GeneratingSelfSignedCertificateWithKeytool
Note that the test in this page has erroneous characters in the beginning of the "-keystore" text (on multiple places).

Here is the code:

<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##1" port="443" minSpareThreads="5"
    enableLookups="true" acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true" keystoreFile="key1.key"
    keystorePass="password1" clientAuth="false" sslProtocol="TLS"
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##2" port="443" minSpareThreads="5"
    enableLookups="true" acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true" keystoreFile="key2.key"
    keystorePass="password2" clientAuth="false" sslProtocol="TLS"
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

Solution 5

You could just make life easier and get an EV SAN (also know as UCC) and add each domain as an entry in the subject alternative name field. And if want to use several ip addresses, just export the certificate and reimport it onto each ip address (http://www.ssltools.com/manager is great for that if you are running windows). A good example of an EV SAN certificate is the certificate found at https://www.ssl.com, just examine it.

View more solutions

26,599

Author by

at.

Updated on July 09, 2022

Comments

at. almost 2 years

I've been using a wildcard SSL certificate in Apache Tomcat 7. But now that I have to renew, I see there are these EV (extended verification) SSL certificates where browsers show a nice green bar so users feel better. That would be important for my site, so I want it! But I have multiple subdomains and apparently EV SSL certificates are NOT wildcard by nature. So ok, I have a set number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.

Can I set this up in Tomcat 7 so that there are multiple SSL certificates on 1 web application? It's not a problem for me to assign multiple IP addresses to this machine.
at. almost 13 years

Perfect, exactly what I was looking for. Haven't tried it yet, will let you know how well it works.
Admin about 10 years

Dude, is it possible to set domain name instead of ip?
Chor Wai Chun over 7 years

hi @Zuul, just wondering, is it possible to use domain name instead of IP address in address attribute? because I'm hosting many sites but they all fall under same IP address.
Chor Wai Chun over 7 years

hi @Bruno, just wondering, is it possible to use domain name instead of IP address in address attribute? because I'm hosting many sites but they all fall under same IP address.
Ahatius over 5 years

@ChorWaiChun I think your only other bet would be using different ports