[OT] Two SSL certs. for same web app

[Jeffrey Janner <Je...@PolyDyne.com>]

I do hope you are billing them an arm & a leg for that "better" certificate.
Our setup is near identical to yours, and it is what we would do.

> -----Original Message-----
> From: Greg Johnson [mailto:gregjo@yahoo.com]
> Sent: Monday, August 29, 2011 10:10 PM
> To: users@tomcat.apache.org
> Subject: Two SSL certs. for same web app
> 
> We have a wildcard SSL cert. installed on our tomcat (6.0.18) instance.
> We are not fronted by Apache, as we just use Tomcat to serve the
> content directly. We provide subdomains for our clients to connect to
> us. For example:
> https://client1.mycompany.com
> represents "client 1's" portal into our web app.
> https://client2.mycompany.com
> represents "client 2's" portal into our web app.
> 
> A particular client is not happy with the strength of our SSL
> certificate, and wants us to install a "better one" for them to use
> when accessing our web app. (We don't need to discuss "better"
> here....I've already pulled my hair out on this one. And, no, it's not
> possible for us to simply get a "better" wildcard cert.) We have a
> single web app, and all clients access the same ROOT app. The
> subdomains are used primarily to allow us to skin our site differently
> for each client.
> 
> What is the method I should use to have "most" of our clients access
> our web app. using our existing wildcard cert., but still allow a
> single client to use a second SSL cert to access the same web app? In
> other words, when "client N" accesses our web site via:
> https://clientn.mycompany.com
> they should use a separate SSL cert.
> 
> I'm assuming I'll need a second network connection for our tomcat
> server. Our "standard" traffic will arrive via "ip-address-one", and
> "client N's" traffic will arrive via "ip-address-two". (With DNS
> configured to make that work correctly.) My guess would be that in
> addition to our tomcat.keystore file, I should create a
> clientn.keystore (which obviously holds the "better one").  If that is
> the case, then I'm confused as to how to configure things in
> server.xml.
> 
> My current structure in server.xml is:
> <Server>
> <Service>
> <Connector port=8080 ... />
> <Connector port=8443 keystoreFile="tomcat.keystore" ... />
> <Engine defaultHost="localhost">
> <Host name="localhost">
> </Host>
> </Service>
> 
> </Server>
> 
> I've done some research and I believe I should use the "address"
> parameter on the connectors, so that I would then have two sets of
> Connector's, using the "clientn.keystore" on the 2nd SSL connector. But
> from there I'm confused as to what IP addresses should be used in the
> Engine and Host blocks. Do I need two Host sections?
> 
> <Server>
> <Service>
> <Connector port=8080 address="ip-address-one"... />
> <Connector port=8443 address="ip-address-one"
> keystoreFile="tomcat.keystore" ... />
> <Connector port=8080 address="ip-address-two"... />
> <Connector port=8443 address="ip-address-two"
> keystoreFile="clientn.keystore" ... />
> <Engine defaultHost="localhost">
> 
> <Host name="localhost">
> </Host>
> </Service>
> 
> </Server>
> 
>  If I simply replace "localhost" in the Engine and Host blocks with
> "ip-address-one", I get traffic correctly on all of our subdomains, but
> don't get any response when connecting to ip-address-two.
> 
> 
> Be gentle, but please slap me down the right road. ;-) I'm just
> stumbling through this, as you can tell. I hope I've not forgotten to
> share enough details.
__________________________________________________________________________

Confidentiality Notice:  This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law.  If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.  

If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Two SSL certs. for same web app

[Greg Johnson <gr...@yahoo.com>]

Jeffrey wrote:
>I do hope you are billing them an arm & a leg for that "better" certificate.

Our client is an integral partner of a well-known certificate provider, so they are providing it for us without charge....for just their subdomain. 

Chuck wrote:
>Since you have only one <Host>, the name attribute is irrelevant 
>as long as it matches the defaultHost setting in the <Engine>.

Thanks for your attention to detail, Chuck. You are correct. I guess I made that change at the same time I made some iptables changes (which was another hurdle for me). Apparently I changed the "right thing" with iptables at the same time I made the changes in Host and Engine, and incorrectly assumed I needed changes in the Host and Engine definition.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org