Ssl – Using multiple SSL certificates in Tomcat 7 for a webapp

sslssl-certificatetomcat

I've been using a wildcard SSL certificate in Apache Tomcat 7. But now that I have to renew, I see there are these EV (extended verification) SSL certificates where browsers show a nice green bar so users feel better. That would be important for my site, so I want it! But I have multiple subdomains and apparently EV SSL certificates are NOT wildcard by nature. So ok, I have a set number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.

Can I set this up in Tomcat 7 so that there are multiple SSL certificates on 1 web application? It's not a problem for me to assign multiple IP addresses to this machine.

Best Answer

You can generally purchase unified communications Extended Validation certs from quite a few vendors, ( so you can have 1 cert that suuports multiple domains ). Digicert is one example of a CA offering these. Verisign also offers extended validation certs that support multiple SANs but Verisign is very expensive. I'd say shop around. I don't think GoDaddy will let you get an EV cert with multiple names attached to it but others do.

Related Solutions

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

You should be able to use OpenSSL for your purpose:

echo | openssl s_client -showcerts -servername gnupg.org -connect gnupg.org:443 2>/dev/null | openssl x509 -inform pem -noout -text

That command connects to the desired website and pipes the certificate in PEM format on to another openssl command that reads and parses the details.

(Note that "redundant" -servername parameter is necessary to make openssl do a request with SNI support.)

Ssl – Generate subdomain certificate from valid wildcard certificate

First, I agree that it's a bad idea to spread wildcard certificates around. Best practice is to use either separate certificates (when the domains live on different servers or virtual hosts), or SAN certificates (when they all live in the same place).

However, you shouldn't be able to use your existing certificate to sign a sub-domain's certificate. SSL certificates are normally issued with a restriction on how they can be used. If you run openssl x509 -in /path/to/cert.pem -noout -text, you will see a part looking like

        X509v3 Extended Key Usage: 
            TLS Web Server Authentication, TLS Web Client Authentication

This means that the certificate can only be used to authenticate a web server or client. It can not be used to sign other certificates (or, at least, no client will trust a certificate signed by this one).

The reason why you can't do this is that there is currently no way for a CA to issue a certificate that can be used to sign other certificates within a given domain only. Therefore, if a trusted CA was to give you a certificate that you could use to sign other certificates, they would in effect give you the ability to impersonate any other site on the internet. This would be bad and that's why they don't do it.

Best Answer

Related Solutions

SSL Certificate – Displaying Remote SSL Certificate Details Using CLI Tools

Ssl – Generate subdomain certificate from valid wildcard certificate

Related Topic