当前位置: 文江博客话题详情

在 Tomcat 7 中使用多个 SSL 证书

发布于 2024-11-15 05:54:04 字数 272 浏览 3 评论 0原文

我一直在 Apache Tomcat 7 中使用通配符 SSL 证书。但现在我必须续订,我看到有这些 EV(扩展验证)SSL 证书,其中浏览器会显示一个漂亮的绿色条,以便用户感觉更好。这对我的网站很重要,所以我想要它!但我有多个子域,显然 EV SSL 证书本质上不是通配符。好吧,我有一定数量的子域,我可以为每个子域购买一堆(我肯定需要至少 2 个)EV SSL 证书。

我可以在 Tomcat 7 中进行设置,以便 1 个 Web 应用程序上有多个 SSL 证书吗?给这台机器分配多个IP地址对我来说不是问题。

原文

I've been using a wildcard SSL certificate in Apache Tomcat 7. But now that I have to renew, I see there are these EV (extended verification) SSL certificates where browsers show a nice green bar so users feel better. That would be important for my site, so I want it! But I have multiple subdomains and apparently EV SSL certificates are NOT wildcard by nature. So ok, I have a set number of subdomains, I can just buy a bunch (I definitely need at least 2) EV SSL certificates for each subdomain.

Can I set this up in Tomcat 7 so that there are multiple SSL certificates on 1 web application? It's not a problem for me to assign multiple IP addresses to this machine.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(5

素衣风尘叹 2024-11-22 05:54:04

如果没有 Java (6) 中不支持的服务器名称指示 (SNI),则每个 IP 地址需要一个证书。

您可以使用 地址属性

例如:

<Connector 
       port="8443" maxThreads="200" address="10.0.0.1"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore1.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>
<Connector 
       port="8443" maxThreads="200" address="10.0.0.2"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore2.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>

如果需要,您还可以使用相同的密钥库,并使用 keyAlias 属性(在 Connector 中)告诉连接器使用哪个密钥/证书使用(基于密钥库中的别名)。

Without Server Name Indication (SNI), which is not supported in Java (6), you need one certificate per IP address.

You can configure Tomcat to use multiple connectors, with different IP addresses and certificates, using the address attribute.

For example:

<Connector 
       port="8443" maxThreads="200" address="10.0.0.1"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore1.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>
<Connector 
       port="8443" maxThreads="200" address="10.0.0.2"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="keystore2.jks" keystorePass="..."
       clientAuth="false" sslProtocol="TLS"/>

You may also be able to use the same keystore, if you need, and use the keyAlias attribute (in Connector) to tell the connector which key/certificate to use (based on the alias name in the keystore).

回复 原文
很酷又爱笑 2024-11-22 05:54:04

我正在使用 tomcat 8.5,现在可以使用多个 SSL/多域配置 tomcat。这是我的配置。

    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
           defaultSSLHostConfigName="localhost" >

    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig hostName="localhost">
        <Certificate certificateKeyFile="/$path/privkey.pem"
                     certificateFile="/$path/certificate.pem"
                     certificateChainFile="/$path/chain.pem"
                     type="RSA" />
    </SSLHostConfig>
       <SSLHostConfig hostName="domainname.com">
        <Certificate certificateKeyFile="/$path/privkey.pem"
                     certificateFile="/$path/certificate.pem"
                     certificateChainFile="/$path/chain.pem"
                     type="RSA" />
    </SSLHostConfig>

</Connector>

I am using tomcat 8.5 and now it is possible to configure tomcat with multiple SSL/ multi domain. Here is my config.

    <Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol"
           maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
           defaultSSLHostConfigName="localhost" >

    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig hostName="localhost">
        <Certificate certificateKeyFile="/$path/privkey.pem"
                     certificateFile="/$path/certificate.pem"
                     certificateChainFile="/$path/chain.pem"
                     type="RSA" />
    </SSLHostConfig>
       <SSLHostConfig hostName="domainname.com">
        <Certificate certificateKeyFile="/$path/privkey.pem"
                     certificateFile="/$path/certificate.pem"
                     certificateChainFile="/$path/chain.pem"
                     type="RSA" />
    </SSLHostConfig>

</Connector>
回复 原文
国粹 2024-11-22 05:54:04

我不确定“SNI”是否真的相关。

但就您而言,典型的解决方案是所谓的 ssloffloading 或 ssl Termination:
即把你的tomcat放在一个apache后面,它配置为在同一IP上使用多个虚拟主机/域名。您可以将 apache 中的每个虚拟主机配置为使用其自己的 SSL 证书。

这里有关于此主题的分步指南:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

I am not sure, here if "SNI" is really relevant.

But in your case, the typical solution would be so called ssloffloading or ssl Termination:
i.e. put your tomcat behinde an apache, which configured to use multiple vhosts / domain names on the same ip. You could configure for each vhost in apache to use its own SSL certificate.

There is a step by step guide for this topic here:

http://milestonenext.blogspot.de/2012/09/ssl-offloading-with-modjk-part-1.html

回复 原文
2024-11-22 05:54:04

我刚刚让它在具有多个 SSL 和 IP 的服务器上工作

通过这种方式添加 IP:
http://www.loadtestingtool.com/help/how-setup-ip.shtml

添加了代码,使服务器使用“密码”(当拥有 2048 位密钥时)实现最大可能的安全性。

首先测试这是否可以通过这种方式使用自签名密钥:
http://community.jboss.org/wiki/GenerateSelfSignedCertificateWithKeytool
请注意,此页面中的测试在“-keystore”文本的开头(在多个位置)有错误的字符。

以下是代码:

<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##1" port="443" minSpareThreads="5"
    enableLookups="true" acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true" keystoreFile="key1.key"
    keystorePass="password1" clientAuth="false" sslProtocol="TLS"
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##2" port="443" minSpareThreads="5"
    enableLookups="true" acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true" keystoreFile="key2.key"
    keystorePass="password2" clientAuth="false" sslProtocol="TLS"
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

I have just got this to work on a server with multiple SSL's and IP's.

Added IP's this way:
http://www.loadtestingtool.com/help/how-setup-ip.shtml

Added code to make the server use maximum possible security with the "ciphers" (when having a 2048bit key).

Tested first that this will work with self-signed keys this way:
http://community.jboss.org/wiki/GeneratingSelfSignedCertificateWithKeytool
Note that the test in this page has erroneous characters in the beginning of the "-keystore" text (on multiple places).

Here is the code:

<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##1" port="443" minSpareThreads="5"
    enableLookups="true" acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true" keystoreFile="key1.key"
    keystorePass="password1" clientAuth="false" sslProtocol="TLS"
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>

<Connector protocol="org.apache.coyote.http11.Http11Protocol" address="###.###.###.##2" port="443" minSpareThreads="5"
    enableLookups="true" acceptCount="100" maxThreads="200"
    scheme="https" secure="true" SSLEnabled="true" keystoreFile="key2.key"
    keystorePass="password2" clientAuth="false" sslProtocol="TLS"
    ciphers="SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA"/>
回复 原文
网名女生简单气质 2024-11-22 05:54:04

您可以让生活变得更轻松,获取 EV SAN(也称为 UCC)并添加每个域作为主题备用名称字段中的条目。如果想使用多个 IP 地址,只需导出证书并将其重新导入到每个 IP 地址(如果您运行的是 Windows,http://www.ssltools.com/manager 非常适合)。 EV SAN 证书的一个很好的示例是 https://www.ssl.com 中找到的证书,只需检查它。

You could just make life easier and get an EV SAN (also know as UCC) and add each domain as an entry in the subject alternative name field. And if want to use several ip addresses, just export the certificate and reimport it onto each ip address (http://www.ssltools.com/manager is great for that if you are running windows). A good example of an EV SAN certificate is the certificate found at https://www.ssl.com, just examine it.

回复 原文
~没有更多了~

关于作者

戏舞

暂无简介

0 文章
0 评论
24 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文