Hi, Sorry for answering my own questions!
The steps to create multiple test ssl certificates, one per domain/IP were as follows: 1. Use keytool -genkey once for each domain, providing a separate keystore file for each key 2. Configure separate Connector entries in server.xml, one for each unique IP address (virtual hosts are not enough). For each of the connectors, set a separate keystoreFile attribute, correlating to the ones generated in step 1 with keytool. 3. Configure separate host entries in server.xml, one for each address. Then, when you connect with a browser, each server returns the correct certificate. Because SSL works on an SSL-handshake first (before it reads the Host: header in HTTP), it is necessary to use separate Connector entries, and this in turn allows you to specify separate keystore files. The tomcat docs specify that each server requires a separate IP address because of the handshake, but is not clear about specifying separate keystore files for the same reason. Until now I thought that it would resolve the access IP back to the name and try to use the named certificate, but this would not always work I suppose, so separate keystore files are necessary. Hope that helps anyone else that has been trying to figure this out. Regards, Neale Rudd metawerx http://www.metawerx.net ----- Original Message ----- From: "Neale Rudd" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Saturday, 20 April 2002 22:51 Subject: Using multiple SSL certificates > Hi, > > I have been able to generate two test SSL certificates, > one for each virtual host in my setup. Each virtual host > has a separate IP address (192.168.0.18 and 192.168.0.3) > and a different name (server1, server2). However, each > time I access tomcat, no matter which address I use, I always > get sent the same certificate. > > The certificate that is sent, is always the last one I generated > with keytool. However, using keytool -list, I can see both > certificates in the keystore. > > Is there a way to get tomcat to serve up the right certificate > for each domain name? > > At first I assumed the certificates were being overwritten each > time I ran keytool -gencert, but if I delete the most recent, > the 2nd most recent becomes active, and if I use -list, they both show > up. > > Very confused! If anyone knows how this is done, please let > me know. > > Thanks for your help, > Neale > > > > -- > To unsubscribe: <mailto:[EMAIL PROTECTED]> > For additional commands: <mailto:[EMAIL PROTECTED]> > Troubles with the list: <mailto:[EMAIL PROTECTED]> > > -- To unsubscribe: <mailto:[EMAIL PROTECTED]> For additional commands: <mailto:[EMAIL PROTECTED]> Troubles with the list: <mailto:[EMAIL PROTECTED]>
