I know that tomcat can handle multiple SSL certificates by setting up multiple Connectors listening on different IP’s, but is it possible to set it up on the same IP?
The situation is that we have multiple web applications running in a single tomcat instance. Our server has only 1 static IP. Tomcat is set up to have Virtual Servers, so depending on the domain it serves a different app. However, if we want SSL in more that one of these apps, I predict we might run into trouble.
Does anyone have more experience in this field?
To be able to use multiple certificates on the same IP address and port, you need Server Name Indication support. Unfortunately, this was introduced in Java 7, only on the client side.
(There are still problems w.r.t. SNI support on the client side, most notably because of lack of support from any version of IE on Win XP, Java 6 and below, and some mobile browsers.)
A workaround for this is to use a single certificate that supports multiple host names. The preferred way to do this is to have a certificate with multiple Subject Alternative Name (SAN) entries. Otherwise, if the names have a pattern, a wildcard certificate may be suitable (e.g.
*.example.comforwww.example.comandsecure.example.com).Apache Httpd has support for SNI, so you may be able to solve your problem by using distinct
VirtualHosts for each host name you want to serve and use a reverse proxy to a different Tomcat configuration for each host.