2

I have a single IP with Jetty serving up X sites on port 80. Basically you can sign up for our service, then point your domain www.mycompany.com to that IP, and Jetty will serve up your custom site.

I would like to add SSL support for all sites. To simplify things, I've looked at getting a single Unified Communications Certificate to plug into Jetty and have it work for all sites.

Is this possible? Has anyone done this before? Does Jetty only support traditional, single-domain certs? What issues might I run in to compared to a single-domain cert?

rcampbell
  • 1,035
  • 4
  • 14
  • 24

3 Answers3

0

Im a PKi guy but Im afraid I've no experience with Jetty, however I cant see why it wouldn't work. The way Unified Communication Certificates work is to populate the Subject alternative field name with domains that are allowed. Any http server presenting the certificate from one of these domains would be validated.

There is a snag here however; this is effectively a white-list and as your organisation changes you may wish to extend or remove domains. You are therefore going to need a new certificate each time this happens.

Are you currently running an internal CA to issue certificates?

Mark Sutton
http://www.blacktipconsulting.com

Mark Sutton
  • 636
  • 5
  • 7
  • Are you currently running an internal CA to issue certificates? --No – rcampbell Dec 09 '09 at 11:30
  • "You are therefore going to need a new certificate each time this happens." -- This is exactly what I was afraid of. I was hoping to buy a UCC with perhaps 4 domains, then add customers sign up or remove a domain as they leave. If you'd forced to buy a UUC each time, it's not going to work. Isn't there any way to accomplish this? – rcampbell Dec 09 '09 at 11:32
  • As I said in my answer, you can buy a UCC cert with a certain number of domains allowed in SAN fields. At least with GoDaddy (and possibly others), you can modify the contents of those fields by reissuing the certificate at will, up to the number of domains you bought. If you want to add more than you bought initially, you will have to pay some amount more to the certificate issuer to either upgrade or replace your certificate with one that has enough "capacity" for the additional SAN fields. – Clint Miller Dec 12 '09 at 04:39
0

As Mark Sutton suggested, the UCC cert is the only way to handle this for multiple virtual hosts with unique domain names (and only one certificate).

I recently used a UCC cert to solve a similar problem and found that GoDaddy, though whom I acquired our UCC cert would allow me to self-service reissue the certificate for a new set of subjectAlternativeNames throughout the valid lifetime of the certificate. It still has the hassle of re-issuing the certificate, but it's better than having to purchase a new one every time.

Good luck!

UPDATE

As Robert pointed out, you'll pay for how many potential SAN fields the cert will contain. I.e., $XYZ for 10 SAN fields, $XYZ+$50 for 15 SAN fields, $XYZ+$90 for 20 SAN fields, etc...

Clint Miller
  • 1,141
  • 1
  • 11
  • 19
0

A UC certificate will work with Jetty for your needs. GoDaddy and DigiCert will both allow you to modify the names (add and remove) at any time by reissuing and reinstalling the certificate. You will need to pay for additional names that are more than what is included in the base cost.

Robert
  • 1,575
  • 7
  • 7