7

I want to have different SSL certificates for different domains that I am hosting in a single Jetty instance.

I do not want to front my Jetty application server with Apache.

I am running Jetty 6.1.22. So far, I have only seen configurations with a single SSL certificate, and the configuration for SSL happens within server which leads me to believe that Jetty was designed to support a single SSL certificate.

Please let me know if I can use Jetty with more than 1 certificate.

I am considering migrating to JBoss Application Server 6.0 since it is closer to a real application server. Is this something that can be done there, and is it a supported feature?

After searching a little bit, I came across this: https://stackoverflow.com/questions/208149/configure-multiple-keystores-in-jboss-depending-on-requested-hostname

Is that the case? If so, then I doubt Jetty or any other application server would support it. I would need to have 2 different connectors - different port or ip address. Then, I would need to have Apache proxy Jetty / JBoss in that case.

Walter

Community
  • 1
  • Yes, you would need a different socket (address+port) for each unique certificate you wanted to use. I am not sure what that means from the perspective of Jetty. – Zoredache Dec 08 '10 at 02:40

2 Answers2

3

Did you read the Jetty documentation?

Glassfish does it by attaching the certificates to the HTTP(S) listeners, which are then in turn bound to a server instance.

According to the documentation, the way Jetty does it is pretty similar:
http://docs.codehaus.org/display/JETTY/Virtual+hosts

You simply configure your vhosts (make them IP based, SSL is negotiated before host headers are ever sent), and then add multiple connectors, one per IP/HTTPS connector. Each can have its own trust/keystore with the SSL certificate in them.

https://web.archive.org/web/20150509123728/http://docs.codehaus.org/display/JETTY/Ssl+Connector+Guide
newer: https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html

Simply add a connector per certificate. There's no way around it, SSL requires a dedicated IP address, so one connector per SSL site you wish to serve.

According to this document:
https://www.eclipse.org/jetty/documentation/9.4.x/configuring-connectors.html

The "host" directive for connectors will allow you to bind them to a specific address, thus solving your problem.

Hope this helps.

cfstras
  • 113
  • 4
mr_daemon
  • 490
  • 4
  • 11
1

Because I've now spent some time going through Jetty Documentation:

With Java 8 (which can do SNI), you don't need to configure anything in order to serve multiple different HTTPS certificates. They only need to be in your keystore. Jetty will automatically choose the right one, depending on the hostname used when connecting.

cfstras
  • 113
  • 4