Configuring multiple SSL certificates for a single Tomcat connector

Sometimes you may want the same Tomcat instance to respond to requests for more than just one hostname. For HTTP this can easily be accomplished, by mapping those hostnames to the same IP address, using the tools provided by your registrar. Supporting HTTPS for multiple hosts is more involved since the SSL certificates need to be deployed and made available to Tomcat.

To get around the requirement to use a JavaKeyStore for certificate management, the native APR connector needs to be used. The Apache Tomcat Native Library is an optional component for use with Apache Tomcat that allows Tomcat to use certain native resources for better performance, a nice side-effect.

Debian-Linux and Ubuntu

On Debian-Linux and Ubuntu, the required library can easily be installed and configured like so:

apt-get install libtcnative-1

The library will be created/installed and can then be found here: /usr/lib/x86_64-linux-gnu/libtcnative-1.so

To make Tomcat aware of the library, add this line to $CATALINA_HOME/bin/setenv.sh (if the file doesn’t exist, create it and make it executable)

CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/lib/x86_64-linux-gnu"

Mac OS

On Mac OS you may want to use the HomeBrew package manager and install the library like so:

brew install libtcnative

and use this line in setenv.sh

CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/local/opt/tomcat-native/lib"

Tomcat

For simplicity, I assume you have the chained certificates and keys stored in Tomcat’s config directory: $CATALINA_HOME/conf. (E.g.: host_name1.pem, host_name1.key, host_name2.pem, host_name2.key.)

Server.xml

Finally, modify the $CATALINA_HOME/conf/server.xml to something like this, before restarting Tomcat:

 

Share this post:

Leave a Reply