This week's book giveaway is in the Functional programming forum.
We're giving away four copies of Functional Design and Architecture and have Alexander Granin on-line!
See this thread for details.
Win a copy of Functional Design and Architecture this week in the Functional programming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Managing two SSL certificates in one Wildfly deployment instance.

 
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi there,

I am new to this forum and to the whole Wildfly/JBOSS universe, so please forgive me if I am not accurate in contexts that are typical between developers.

Summary:
We have a functioning Wildfly 14.0.1 (windows server) running successfully a web application. We have all in place using a Keystore to use an SSL certificate for the deployment. We now have a requirement to add a second certificate to respond to another alias/hostname in the same server, but Wildfly only sees the first, primary certificate within the Keystore. What would be the best approach (configuring the Standalone.xml) so that we can use that second certificate within the Keystore to actually respond to the second domain alias that we have in place.

Current config:
We currently have a .com hostname in the standalone.xml and added an alias as .net so that the client can access the portal through the .net URL as well. The thing is that the .net is not applying the certificate because is actually seeing the .com certificate within the Keystore, not the .net

How can we apply this second SSL certificate to point to the second (.net) hostname to be able to secure the request to the .net URL?

Any help will be appreciated.
 
Saloon Keeper
Posts: 24283
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
In other words, you have two virtual hosts and each needs its own SSL certificate. So far so good.

Tomcat is no longer the built-in engine for JBoss/Wildfly, but I figured it probably has influenced whatever replaced it, so I went back to check how Tomcat does it and it's rather sticky.

Actually, what would probably work better would be to front WildFly with a reverse proxy server such as Apache or Nginx. You can define your virtual hosts there, assign a different SSL cert to each virtual host definition and gain the added benefits of being able to use the standard SSL port (443) without compromising security - plus you would have a central dispatching point for both Java and non-java webapps.

The extra overhead is minimal and the benefits are considerable, which is why this is a popular solution.
 
Victor Filpo
Greenhorn
Posts: 2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks, Tim for your quick suggestion.

We will try that option and post any update. Many thanks for your help.
 
Tim Holloway
Saloon Keeper
Posts: 24283
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My pleasure. I actually do this myself. Not only fronting Java webapp servers, but dispatching to backends running in containers on multiple DMZ hosts. One-stop shopping with SSL!
 
Is that a spider in your hair? Here, threaten it with this tiny ad:
Thread Boost feature
https://coderanch.com/t/674455/Thread-Boost-feature
reply
    Bookmark Topic Watch Topic
  • New Topic