You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Raffaele <r....@prismasw.it> on 2007/11/26 16:35:43 UTC
[HTTPS] more web app each one with a proper certificate
Hi all!
I'm quite a beginner with Tomcat, but really I can't understand what should
I do in the following scenario:
I'm configuring Tomcat to use https with all my web apps.
I have produced a .keystore file with two keys (one for each web app)
I have two web app and I would like to use one key with one of them and the
other key with the other web app.
Inside server.xml, I have decommented the xml fragment about https, but I
have noticed studying a little the documentation that through keyAlias
attribute I can specify a specific alias to be used as valid certificate.
My question is, How should I configure server.xml (or other things) to use
different certificates with different web apps?
Thanks in advance and best regards.
Raffaele
--
View this message in context: http://www.nabble.com/-HTTPS--more-web-app-each-one-with-a-proper-certificate-tf4875838.html#a13951888
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [HTTPS] more web app each one with a proper certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hassan,
Hassan Schroeder wrote:
> Let's clarify -- there's "name-based" virtual hosting, and IP-based
> virtual hosting. It's name-based SSL that won't work for the reasons
> above.
>
> IP-based virtual hosting with Tomcat works fine, by configuring a
> separate Connector (and keystore) for each SSL-enabled vhost.
Thanks for clearing that up. I had forgotten about ip-based host
selection. IP + port must be unique for certificates.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHSybK9CaO5/Lv0PARAu6ZAJ4xSS+xA6Tvk0VDbe8jYF46QpFoJgCfaERl
kZmtu3FptQNgP1Q5oHFqYA0=
=LyZe
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [HTTPS] more web app each one with a proper certificate
Posted by Hassan Schroeder <ha...@gmail.com>.
On Nov 26, 2007 11:03 AM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> Are you saying that you want to have multiple virtual hosts, each with
> separate certificates?
>
> I don't believe that's possible, not even with any other server. The
> problem is that the client contacts a particular port (usually 443 for
> HTTPS) and is immediately presented with the server's certificate
> (before any other information is transmitted). Since virtual hosting
> works by having the server sniff the client's "Host" HTTP header,...
Let's clarify -- there's "name-based" virtual hosting, and IP-based
virtual hosting. It's name-based SSL that won't work for the reasons
above.
IP-based virtual hosting with Tomcat works fine, by configuring a
separate Connector (and keystore) for each SSL-enabled vhost.
FWIW,
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [HTTPS] more web app each one with a proper certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Raffaele,
Raffaele wrote:
> Inside server.xml, I have decommented the xml fragment about https, but I
> have noticed studying a little the documentation that through keyAlias
> attribute I can specify a specific alias to be used as valid certificate.
>
> My question is, How should I configure server.xml (or other things) to use
> different certificates with different web apps?
Typically, certificates are bound to domain names, not web applications.
Are you saying that you want to have multiple virtual hosts, each with
separate certificates?
I don't believe that's possible, not even with any other server. The
problem is that the client contacts a particular port (usually 443 for
HTTPS) and is immediately presented with the server's certificate
(before any other information is transmitted). Since virtual hosting
works by having the server sniff the client's "Host" HTTP header,
there's no time to read that header before the certificate needs to be
presented to the client.
Basically, if you want more than one cert, you need more than one port
listening for HTTPS requests, each with the appropriate cert configured
for each. The same is true for Apache, IIS, etc. -- it's an issue with
the protocol, not the implementation.
Sorry,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFHSxiV9CaO5/Lv0PARAoemAKC3lZsYpiUxPl/e5AoFih0s+cfT+ACguiI5
3XIyGrscaN9klxk40bkrrp4=
=wphr
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org