Reputation: 548
Multiple HTTPS Connectors in Tomcat using different certificates
I am currently using a Tomcat 8.5 to host a web application via HTTPs. The connector configuration looks as follows:
<Connector
port="8443"
protocol="HTTP/1.1"
connectionTimeout="10000"
maxHttpHeaderSize="65536"
SSLEnabled="true" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
keystoreFile="myKeystore"
keystorePass="changeit"
/>
What I'm trying to do now is to host the application under another URL with another cerficate, ideally from the same keystore.
As far as I undestood from the Tomcat documentation I need to add second connector. My problem is that I'm not sure how to tell the connector which certificate to use in the keystore.
It seems the way to go is related to using the keyAlias attribute. However, this seems to have been deprecated in favour of SSLHostConfig. Unfortunately, I failed to find the right kind of documentation for my use case for either way of configuring, let alone examples.
How do I configure the connectors properly? If there are multiple way, what would be considered best practise? Should I even store both certs in the same keystore?
Upvotes: 0
Views: 3073
Answers (1)
Reputation: 548
After finding a page detailing all the Connector and SSLHostConfig attributes in the Tomcat documentation I managed to create a working setup.
The two connectors now look like this:
<Connector
address="192.168.0.100"
port="8443"
protocol="HTTP/1.1"
maxHttpHeaderSize="65536" connectionTimeout="10000"
SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig
sslProtocol="TLS"
certificateVerification="false">
<Certificate
certificateKeystoreFile="myKeystore"
certificateKeystorePassword="changeit"
certificateKeyAlias="server1cert"
certificateKeyPassword="server1pw"
/>
</SSLHostConfig>
</Connector>
<Connector
address="192.168.0.101"
port="8443"
protocol="HTTP/1.1"
maxHttpHeaderSize="65536" maxThreads="150"
SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig
sslProtocol="TLS"
certificateVerification="false">
<Certificate
certificateKeystoreFile="myKeystore"
certificateKeystorePassword="changeit"
certificateKeyAlias="server2cert"
certificateKeyPassword="server2pw"
/>
</SSLHostConfig>
</Connector>
Something to watch out for is to replace all deprecated SSL attributes in the Connector.
Otherwise Tomcat will internally create a default SSLHostConfig based on the deprecated attributes resulting in an error during startup. See this answer for more information.
Upvotes: 2
Related Questions
- Using multiple SSL certificates in Tomcat 7
- Tomcat 8 configure multiple SSL connectors
- How to configure Tomcat7 with two SSL
- Tomcat8 SSL connector
- Multiple SSL config on Tomcat 8.5
- Configure tomcat SSL with single certificate that has multiple aliases
- Tomcat connector element combinations for SSL related properties
- Using both SSL and Non-SSL in Tomcat 6
- Using multiple SSL certificates in single tomcat instance
- Serve different certs for same Tomcat application via connectors?