Hi,
Here's an idea for you: You can use wildcard when generating your certificate, like *.domain.com, assuming your servers using same domain.com. Regards, Leon Kolchinsky On Tue, Mar 9, 2010 at 11:49, Crypto Sal <crypto....@gmail.com> wrote: > On 03/08/2010 06:46 PM, Richard Huntrods wrote: > >> Does anyone know if it is possible, or has anyone done this: >> >> I have two applications running on a single server. The applications use >> different domains and URLs, so the single Tomcat instance can easily tell >> them apart. (Note: this part is currently working just fine). >> >> https://domain1/application1 >> https://domain2/application2 >> >> Again, both domains point to the same static IP, and yes, it is possible >> for someone to access either application from either domain. Normally, that >> is not an issue with the clients. >> >> However, I currently have only one SSL certificate on the server - this is >> for domain1. So if you use domain1 to access application1, it's all fine. >> The security cert comes up green and all that. >> >> BUT - if you try and access application2 via domain2, you get the red >> security cert (wrong domain / server name). I would like to purchase a >> second certificate for the second domain, and am wondering if this can be >> done, and how one would tell Tomcat (in server.xml) to acknowledge the >> second certificate. >> >> Currently the stuff in server.xml looks like this: >> >> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="150" enableLookups="false" scheme="https" >> secure="true" >> keystoreFile="./keys/.keystore" keystorePass="myPassword" >> clientAuth="false" sslProtocol="TLS" /> >> >> >> I have a bad feeling it's not possible, but wanted to ask anyway. >> >> Thanks in advance. >> >> -R >> >> > Richard, > > It's possible. > > It doesn't appear that Tomcat or Java(SUN) support RFC 3546 just yet (For > Server Name Indication) even though Apache httpd does. However Windows XP > users of IE will not be able to take advantage of SNI at this time anyway > (to further rain on your parade). Vista and greater do make use of SNI > though. Gotta wait for XP to die I guess. :-P > > End result: Multi-Domain Certificate, separate ports, separate IPs or a > load balancer that distributes the load to an internal IP based on FQDN, to > which you could then use X amount of different SSL certs.(This last bit may > be a wee bit complicated) > > Hope this helps > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
