0

How can I configure tomcat to use a single certificate but use multiple aliases?

I found this thread but I think this is not the case for my situation.

Using multiple SSL certificates in Tomcat 7

Our system admin has requested a single certificate that supports multiple URL aliases.

In my Tomcat setting, this is the configuration:

<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 7.0\www.url.com.jks"
keystorePass="pass" 
keyAlias="www.url.com" />

This is the only setting I know for single SSL certificate and one alias. Any thoughts?

Community
  • 1
  • 1
makalshrek
  • 853
  • 3
  • 14
  • 29
  • You don't understand. It has nothing to do with Tomcat. It has to do with the certificate itself. You have to get the *certificate* issued with multiple *internal* aliases. And it is your sysadmin who should be looking after this, not you. Completely off topic. – user207421 Sep 11 '14 at 05:26
  • @EJP Yeah, that is the problem. He doesn't know how to configure Tomcat SSL so I'm helping out. – makalshrek Sep 11 '14 at 06:11
  • You still don't understand. It has nothing to do with Tomcat whatsoever. The problem is the certificate, and procuring it correctly should be his job, not yours. – user207421 Sep 12 '14 at 01:32
  • @EJP So, the configuration would still be the same like the code I posted? I just need confirmation as I will putting that snippet in my installation guide for him to follow, if the config would still be the same. I work in a bank and software engineering here is not that great so a little clarification is very much appreciated. – makalshrek Sep 12 '14 at 03:54
  • 1
    The Tomcat configuration is unchanged. The content of the certificate is different. It has to be re-procured, possibly with a new CSR, and then the signed certificate has to be imported into that keystore, usign the same alias. – user207421 Sep 12 '14 at 04:23
  • @EJP This clears everything up. Thank you. – makalshrek Sep 12 '14 at 08:39

1 Answers1

1

One certificate can be mapped to several aliases, using a technique known as subject alternative name in the certificate. You could use this command while generating the csr for the certificate based on the keystore: 

"$JAVA_HOME"/bin/keytool -genkey -alias "$servername" -keyalg "RSA" \
    -keysize "$value" -sigalg "SHA256withRSA" -dname "CN=servername,OU=org_unit,O=org,L=location" \
    -ext "san=dns:alias1,dns:alias2,dns:alias3,dns:alias4" \
    -keypass "$password" -keystore "$filename.jks" -storepass "$password"
Toby Speight
  • 27,591
  • 48
  • 66
  • 103
Maha Dmurthy
  • 11
  • 2
  • This is indeed one way of doing it. Alternatively you can use tailor made configuration file for openssl where aliases are defined. Open question is if your tomcat will work with that as I have not managed yet to make it work (tomcat:8, java 1.8). – umghhh Jun 06 '19 at 11:32