apache2ssl-certificatejboss5.xapache-configself-signed

Self sign SSL certificate for JBOSS with multiple domains

Is there any way to create a self sign SSL certificate for multiple domains? My environment is jboss-5.1.0.GA.

I already created a self sign SSL certificate for single domain using the following java keytool commands.

 keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore    server.keystore
 *Answer the prompts.  Use myHostname when asked for first/last name
 keytool -export -alias jbosskey -keypass changeit -file server.crt -keystore   server.keystore
 keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore

Then I enable SSL in JBOSS server.xml as follows;

 <Connector protocol="HTTP/1.1" SSLEnabled="true" 
       port="7443" address="${jboss.bind.address}"
       scheme="https" secure="true" clientAuth="false" 
       keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
       keystorePass="changeit" sslProtocol = "TLS" />

This is working fine. Now I need to add another separate domain name to this certificate.

Please note that this is not a wildcard certificate I’m talking about which support sub domains.

What I need to do is, add totally separate domain names to single keystore file.

P.S.

I’m working on apache + JBOSS environment. The apache server works as a proxy.

I can give separate SSL certificate files in apache httpd-ssl.conf configuration for different domains. But when I come to JBOSS, I’m not sure how to handle it.

If we use apache as a proxy (That means configure ssl in apache), can we ignore SSL from JBOSS?

I tried to ignore entry (keystoreFile="${jboss.server.home.dir}/conf/server.keystore") but it gives an error.

If not is there any way to handle this situation without a SSL certificate that support for multiple domains?

Thanks

Solution

  • If I understand this correctly, you may be able to let your Apache server handle the SSL authentication and then Jboss can ignore the SSL cert if the proxy is handling it upfront (the JBoss design is to allow control/ auth of SSL certs from the deployment, which doesn't sound necessary in this case)

    I have a similar setup, whereby a proxy hosted elsewhere deals with the SSL authentication & just forwards the requests through the DMZ to the JBoss server, which can ignore the certs then.