I've been using a wildcard SSL certificate in Apache Tomcat 7. But now that I have to renew, I see there are these EV (extended verification) SSL certificates where browsers show a nice green bar so users feel better. That would be important for my site, so I want it! But I have multiple subdomains and apparently EV SSL certificates are NOT wildcard by nature. So ok, I have a set number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.
Can I set this up in Tomcat 7 so that there are multiple SSL certificates on 1 web application? It's not a problem for me to assign multiple IP addresses to this machine.
Without Server Name Indication (SNI), which is not supported in Java (6), you need one certificate per IP address.
You can configure Tomcat to use multiple connectors, with different IP addresses and certificates, using the address attribute.
For example:
<Connector
port="8443" maxThreads="200" address="10.0.0.1"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keystore1.jks" keystorePass="..."
clientAuth="false" sslProtocol="TLS"/>
<Connector
port="8443" maxThreads="200" address="10.0.0.2"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="keystore2.jks" keystorePass="..."
clientAuth="false" sslProtocol="TLS"/>
You may also be able to use the same keystore, if you need, and use the keyAlias
attribute (in Connector
) to tell the connector which key/certificate to use (based on the alias name in the keystore).