1

Here was my first question: SSL on IIS & Tomcat running on same server and got it answered. Thank you.

I am in the process of migrating our webapps from 2 servers to 1 server. These webapps right now are being accessed via 3 different Aliases.

In the end after migration, I will move the 3 aliases to this 1 server.

The web apps are running in IIS (default port) and Apache Tomcat 7.x (port 8080).

All is fine so far. I want to introduce SSL. So I applied for a certificate from our company certification manager and in the application I gave the name as one of the alias and not the server name.

My question here if the Would I be able to use the same certificate on IIS and Tomcat even though it is requested with "A" alias or do I need to apply multiple certificates for each alias?

KK99
  • 199
  • 3
  • 10

1 Answers1

2

It depends on how your system is configured.

If you are requesting a service on b.example.com but your certificate only covers a.example.com then technically the service will work, but only after throwing a certificate error. That certificate error is because your hostname does not match what the certificate is sending. The user will see a big scary error message.

There are three main workarounds here:

  1. Get a certificate that covers your three aliases, say a.example.com, b.example.com, c.example.com (these are called SAN certificates, where SAN stands for Subject Alternate Name). That way the one certificate is valid for all three of those services
  2. Get three individual certificates. This may be cheaper than getting a SAN certificate because sometimes SSL providers choose to charge a bundle of money for a SAN certificate (because they can)
    • If your users are all on modern web browsers and devices, and your web server supports it, you can use SNI (Server Name Indication) and put all three certificates on a single IP address
    • If your users are on older browsers or devices, or your web server does not support SNI, then you would need to assign three IP addresses to your box and bind each certificate to a single IP address
  3. Get a wildcard certificate for *.example.com. Sometimes this is cheaper and easier than getting a SAN or multiple individual certificates. But it does not support covering say a.example.com and a.example.org and foo.a.example.com as a wildcard is only good for one level on one domain (unless you combine a SAN with wildcards, but that gets real expensive real quick).

Once you have gone down your route, you can use that certificate multiple times if you keep your private key intact. Just install the private key and the certificates on both of your web servers to continue to serve the same certificate from both boxes during the migration.

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259
  • I have the following: Server: tools-server.company.com Alias 1 : Tool1.company.com Alias 2 : Tool2.company.com Alias 3 : Tool3.company.com Tool1.company.com is a WebApp on IIS Tool2.company.com & Tool3.company.com is a WebApp on Tomcat Thank you for your detailed answer. I guess applying 3 certificates should be easier. – KK99 May 12 '17 at 08:35
  • 1
    @KarthikKrishnan that's the easiest way, but only if you can support SNI or can get three IP addresses. Also, SNI will only work if you have everything on the same web server, which you don't. Any three of the solutions I've proposed would work for you in your situation. – Mark Henderson May 12 '17 at 11:37
  • Plan is to have all 3 in 1 machine. I will give this a try. Thanks again. – KK99 May 12 '17 at 12:30