tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Greg Johnson <>
Subject Two SSL certs. for same web app
Date Tue, 30 Aug 2011 03:10:09 GMT
We have a wildcard SSL cert. installed on our tomcat (6.0.18) instance. We are not fronted
by Apache, as we just use Tomcat to serve the content directly. We provide subdomains for
our clients to connect to us. For example:
represents "client 1's" portal into our web app.
represents "client 2's" portal into our web app.

A particular client is not happy with the strength of our SSL certificate, and wants us to
install a "better one" for them to use when accessing our web app. (We don't need to discuss
"better" here....I've already pulled my hair out on this one. And, no, it's not possible for
us to simply get a "better" wildcard cert.) We have a single web app, and all clients access
the same ROOT app. The subdomains are used primarily to allow us to skin our site differently
for each client.

What is the method I should use to have "most" of our clients access our web app. using our
existing wildcard cert., but still allow a single client to use a second SSL cert to access
the same web app? In other words, when "client N" accesses our web site via:
they should use a separate SSL cert.

I'm assuming I'll need a second network connection for our tomcat server. Our "standard" traffic
will arrive via "ip-address-one", and "client N's" traffic will arrive via "ip-address-two".
(With DNS configured to make that work correctly.) My guess would be that in addition to
our tomcat.keystore file, I should create a clientn.keystore (which obviously holds the "better
one").  If that is the case, then I'm confused as to how to configure things in server.xml.

My current structure in server.xml is:
<Connector port=8080 ... />
<Connector port=8443 keystoreFile="tomcat.keystore" ... />
<Engine defaultHost="localhost">
<Host name="localhost">


I've done some research and I believe I should use the "address" parameter on the connectors,
so that I would then have two sets of Connector's, using the "clientn.keystore" on the 2nd
SSL connector. But from there I'm confused as to what IP addresses should be used in the Engine
and Host blocks. Do I need two Host sections? 

<Connector port=8080 address="ip-address-one"... />
<Connector port=8443 address="ip-address-one" keystoreFile="tomcat.keystore" ... />
<Connector port=8080 address="ip-address-two"... />
<Connector port=8443 address="ip-address-two" keystoreFile="clientn.keystore" ... />
<Engine defaultHost="localhost">

<Host name="localhost">


 If I simply replace "localhost" in the Engine and Host blocks with "ip-address-one", I get
traffic correctly on all of our subdomains, but don't get any response when connecting to

Be gentle, but please slap me down the right road. ;-) I'm just stumbling through this, as
you can tell. I hope I've not forgotten to share enough details.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message