Okay, I see that the address attribute of the connector element can be used to retrict IP/port combinations.
As I've only got 1 IP this doesn't really affect me. Either I've misunderstood something fundamental, or the configuration capabilities are not optimal. Any one? Thanks Martin -----Original Message----- From: Martin Alley [mailto:[EMAIL PROTECTED] Sent: 31 March 2004 12:10 To: Tomcat Users List Subject: Multiple certificates for multiple virtual hosts (1:1) Hi, I want to have different certificates for different virtual hosts on my tomcat setup (embedded in JBoss). I only have 1 IP address. I want to use the default ports (80 & 443) for each virtual server. A certificate doesn't say anything about the IP address - only the common name (ie the FQDN). It is perfectly possible to change the IP address of the machine on which the cert is installed, and not have to update the certificate. Just let DNS update round the world. The key thing is to keep the private key that is paired with the public key embedded in the cert (that's been signed by the CA) secured on the same machine. Tomcat: The Definitive Guide, has this to say about multiple server certificates: "Suppose you are an ISP with clients, several of whom want to have their own certificate. Typically this would involve using Virtual Hosts (as covered in Chapter 7). Simply add an SSL Factory element to the appropriate client's Connector, giving the keystore file for that specific client." I don't see how virtual hosts are associated directly with certificates. >From my reading, certificates are associated with keystore, which are associated with connectors, which are globally shared by one engine. In other words it seems you can have different certs for different *ports*, and you can use any of the virtual host names with any of the ports declared, but you can't have the appropriate cert selected based on the host name. This is a shame, because *that* is what has been certified! So, suppose I have 2 pairs of HTTP connectors each with an SSL factory: Http 80 with SSL 443 (cert common name www.company1.com) Http 8080 with SSL 8443 (cert common name www.company2.com) And I have virtual hosts www.company1.com and www.company2.com It seems to me the certificate I will get presented would depend on the port number entered, and not the virtual host name. Thus there exists potential for a name mismatch between the requested url, and the common name in the certificate - which is a "bad thing". https://www.company1.com works and gets the right cert https://www.company1.com:8443 works, but gets a warning because of the mismatched cert Tomcat 5 SSL howto states: "In order to implement SSL, a web server must have an associated Certificate for each external interface (IP address) that accepts secure connections." Ignoring my assertions about the irrelevance of IP address above, I don't understand how a specific IP address is associated with a specific certificate in server.xml Can someone put me right on this? Or provide a example server.xml of what I want to achieve? Thanks Martin --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]