Multiple ssl certificates on Tomcat using SNI

In this tutorial, we will look at installing multiple SSL certificates on Tomcat using SNI. Tomcat 8.5.x allows you to install a separate SSL certificate for each virtual host in your tomcat installation. This works with a single IP because of the SNI feature in Tomcat 8.5.x and Java 8. (Java has implemented SNI since version 1.7, however these steps have been performed with Java 8).

Steps for installing Multiple SSL certificates on Tomcat using SNI.

In the following steps, we describe how to make Tomcat work with multiple hosts, each having its own SSL certificate. Note that the server has a single IP and multiple SSL certificates can work on a single IP because of SNI or Server Name Indicator. SNI support has been added in Java 1.7 and Tomcat 9 but back ported to Tomcat 8.5. This tutorial has been written for Tomcat that uses the Tomcat native library for production use. However, the steps should work for a non-native implementation too with minor changes. To see how to install Tomcat Native please follow this tutorial.

Step 1: Creating the private key and Certificate Signing Request (CSR) for Tomcat

The first step is to create the private key and CSR that you need to send to the SSL certificate provider. This tutorial uses a certificate from Comodo (PositiveSSL). We will use OpenSSL to create the certificate.

openssl req -newkey rsa:2048 -nodes -keyout www_studytrails_com.key -out www_studytrails_com.csr

This will create the private key and CSR. Use the CSR to obtain the certificate from Comodo. We will store the certificate and all other files part of the certificate zip in a folder called www_studytrails_com.

Create the SSL certificate bundle

In addition to the certificate for the site Comodo sends various other files that establish the certificate chain. We will combine them into a single file called www_studytrails_com.bundle

cat COMODORSADomainValidationSecureServerCA.crt COMODORSAAddTrustCA.crt AddTrustExternalCARoot.crt >www_studytrails_com.bundle

Modifying the server.xml to add multiple certificates

We repeat the process above for each domain that we want htts support for. Once that is done add the following into the server.xml file.

 
     <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
               defaultSSLHostConfigName="studytrails.com" >

        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
        <SSLHostConfig hostName="studytrails.com">
            <Certificate certificateKeyFile="/root/www_studytrails_com/www_studytrails_com.key"
                         certificateFile="/root/www_studytrails_com/www_studytrails_com.crt"
                         certificateChainFile="/root/www_studytrails_com/www_studytrails_com.bundle"
                         type="RSA" />
        </SSLHostConfig>
        <SSLHostConfig hostName="api.studytrails.com">
           <Certificate certificateKeyFile="/root/api_studytrails_com/api_studytrails_com.key"
                         certificateFile="/root/api_studytrails_com/api_studytrails_com.crt"
                         certificateChainFile="/root/api_studytrails_com/api_studytrails_com.bundle"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

The above example adds SSL certificates for www.studytrails.com and api.studytrails.com. Each host has one hostconfig. The defaultSSLHostConfigName is a required parameter. You can add more hostconfigs to it.

Leave a Comment