HowTo setup Tomcat serving two SSL Certificates using SNI?

Question

According to these two answers [1] [2] it's possible to have two SSL certificates serving from the same Apache Tomcat using Server Name Indication (SNI).

My question is then, how to setup this? I could setup two virtual hosts but I still have then just one connector which presents the specified SSL certificate to the client. In the connector one can specify the keystore and alias to use for the certificate but there is no parameter saying for which virtual host this connector is for or which certificate he should present to the client according to the used domain.

How can I tell tomcat which SSL certificate (or to be more correct which keystore) he has to use while using SNI?

[1] https://stackoverflow.com/a/10173447
[2] https://stackoverflow.com/a/6343059

Answer 1

You need to re-read the answers to those question. SNI is not supported on the server side until Java 8. The minimum Java version that Tomcat 8 has to support is Java 7 so at the moment there i no SNI support in Tomcat.

It may be possible to optionally support SNI if Tomcat is running on Java 8 or later but that would need code changes in Tomcat for which there are currently no plans.

Update as of December 2014:

Adding SNI support is on the TODO list for Tomcat 9. That TODO list is quite long and SNI is not currently at the top of the list. As always patches are welcome.

Once SNI is implemented in Tomcat 9 it is possible that SNI support might be back-ported to Tomcat 7 and Tomcat 8. Again, patched welcome.

Update as of June 2015:

SNI has been implemented for Tomcat 9. It is supported by all three HTTP connector implementations (NIO, NIO2 and APR/native). To use SNI with NIO or NIO2 you will need to compile Tomcat 9 (a.k.a. trunk) from source. To use SNI with APR/native you will also need to compile tc-native trunk (not the 1.1.x branch currently used by the Tomcat releases).

TLS configuration has changed significantly to support SNI. Details will be in the docs web application once you have build Tomcat 9.

Update as of November 2016:

SNI support is included in Tomcat 8.5.x. It is unlikely it will be back-ported further. i.e. It is unlikely to make it to 8.0.x or 7.0.x.

Answer 2

You could setup multiple ssl certificates using the below configuration:

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="domain1">
        <SSLHostConfig hostName="domain1" >
            <Certificate certificateKeystoreFile="conf/domain1-keystore.jks" certificateKeystorePassword="dom1keystorepwd"
                        certificateKeyPassword="dom1keypwd"
                         type="RSA" />
        </SSLHostConfig>
        <SSLHostConfig hostName="domain2" >
            <Certificate certificateKeystoreFile="conf/domain2-keystore.jks" certificateKeystorePassword="dom2keystorepwd"
                        certificateKeyPassword="dom2keypwd"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Tweak the protocol according to your necessity. You could also configure using openssl instead of jsse. Please refer https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig for further assistance

Also, defaultSSLHostConfigName is very important otherwise it wouldn't work. Select any one domain as default.

Answer 3

You could install nginx / haproxy (both supports SNI) in front of the tomcat and they will act as proxy.