We have a wildcard SSL cert. installed on our tomcat (6.0.18) instance. We are not fronted by Apache, as we just use Tomcat to serve the content directly. We provide subdomains for our clients to connect to us. For example: https://client1.mycompany.com represents "client 1's" portal into our web app. https://client2.mycompany.com represents "client 2's" portal into our web app.
A particular client is not happy with the strength of our SSL certificate, and wants us to install a "better one" for them to use when accessing our web app. (We don't need to discuss "better" here....I've already pulled my hair out on this one. And, no, it's not possible for us to simply get a "better" wildcard cert.) We have a single web app, and all clients access the same ROOT app. The subdomains are used primarily to allow us to skin our site differently for each client. What is the method I should use to have "most" of our clients access our web app. using our existing wildcard cert., but still allow a single client to use a second SSL cert to access the same web app? In other words, when "client N" accesses our web site via: https://clientn.mycompany.com they should use a separate SSL cert. I'm assuming I'll need a second network connection for our tomcat server. Our "standard" traffic will arrive via "ip-address-one", and "client N's" traffic will arrive via "ip-address-two". (With DNS configured to make that work correctly.) My guess would be that in addition to our tomcat.keystore file, I should create a clientn.keystore (which obviously holds the "better one"). If that is the case, then I'm confused as to how to configure things in server.xml. My current structure in server.xml is: <Server> <Service> <Connector port=8080 ... /> <Connector port=8443 keystoreFile="tomcat.keystore" ... /> <Engine defaultHost="localhost"> <Host name="localhost"> </Host> </Service> </Server> I've done some research and I believe I should use the "address" parameter on the connectors, so that I would then have two sets of Connector's, using the "clientn.keystore" on the 2nd SSL connector. But from there I'm confused as to what IP addresses should be used in the Engine and Host blocks. Do I need two Host sections? <Server> <Service> <Connector port=8080 address="ip-address-one"... /> <Connector port=8443 address="ip-address-one" keystoreFile="tomcat.keystore" ... /> <Connector port=8080 address="ip-address-two"... /> <Connector port=8443 address="ip-address-two" keystoreFile="clientn.keystore" ... /> <Engine defaultHost="localhost"> <Host name="localhost"> </Host> </Service> </Server> If I simply replace "localhost" in the Engine and Host blocks with "ip-address-one", I get traffic correctly on all of our subdomains, but don't get any response when connecting to ip-address-two. Be gentle, but please slap me down the right road. ;-) I'm just stumbling through this, as you can tell. I hope I've not forgotten to share enough details.
