Question
Is there any way to create a self sign SSL certificate for multiple domains? My environment is jboss-5.1.0.GA.
I already created a self sign SSL certificate for single domain using the following java keytool commands.
https://stackoverflow.com/questions/13647106
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russian keytool -genkey -alias jbosskey -keypass changeit -keyalg RSA -keystore server.keystore
*Answer the prompts. Use myHostname when asked for first/last name
keytool -export -alias jbosskey -keypass changeit -file server.crt -keystore server.keystore
keytool -import -alias jbosscert -keypass changeit -file server.crt -keystore server.keystore
Then I enable SSL in JBOSS server.xml as follows;
<Connector protocol="HTTP/1.1" SSLEnabled="true"
port="7443" address="${jboss.bind.address}"
scheme="https" secure="true" clientAuth="false"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="changeit" sslProtocol = "TLS" />
This is working fine. Now I need to add another separate domain name to this certificate.
Please note that this is not a wildcard certificate I’m talking about which support sub domains.
What I need to do is, add totally separate domain names to single keystore file.
P.S.
I’m working on apache + JBOSS environment. The apache server works as a proxy.
I can give separate SSL certificate files in apache httpd-ssl.conf configuration for different domains. But when I come to JBOSS, I’m not sure how to handle it.
If we use apache as a proxy (That means configure ssl in apache), can we ignore SSL from JBOSS?
I tried to ignore entry (keystoreFile="${jboss.server.home.dir}/conf/server.keystore") but it gives an error.
If not is there any way to handle this situation without a SSL certificate that support for multiple domains?
Thanks
La solution
If I understand this correctly, you may be able to let your Apache server handle the SSL authentication and then Jboss can ignore the SSL cert if the proxy is handling it upfront (the JBoss design is to allow control/ auth of SSL certs from the deployment, which doesn't sound necessary in this case)
I have a similar setup, whereby a proxy hosted elsewhere deals with the SSL authentication & just forwards the requests through the DMZ to the JBoss server, which can ignore the certs then.
Autres conseils
If I may give an additional answer - a very common setup for Apache+JBoss is to use Apache as some kind of loadbalancer/reverse proxy infront of the JBoss. The SSL communication is completly done by Apache. And a prefered way is, to use AJP between Apache and JBoss instead of HTTP because it sets all necessary informations in the Servlet request instead of using X-forwarded-... information as additional headers that need to be read explicitly.
In this case (either with mod_jk or mod_cluster) you can also manage multiple instances of JBoss behind the Apache very easy. Of course - the communication between Apache and JBoss is not encrypted (as I know AJP doesn't support SSL).
If you want to have encrypted communication and the Apache is still making all the external SSL communication, then the internal communication between Apache and JBoss needs only be covered by one certificate and Apache needs to trust that certificate.
And one more - you can put more then one certificate/privatekey into a keystore just by importing them into the already existing keystore. With keystore -list you can review the content of the keystore. What I never tested yet, is, if the JBoss will use SNI to identify the correct certificate/key to the incoming request. But the newer JBoss and Java supports SNI by default.
