Moving over to internal SSL to replace built in CA on multiple WinSvr boxes

L-plateAdmin
Contributor

Hi All

 

So we are moving away to sign our own tomcat boxes that run windows behind a loadbalaner rather than linux so sorting out the new internal certs to take over from when the SSL terminates at the balancer.

As it seems the resulting jks file is just copied over to other servers after following this article.. https://learn.jamf.com/bundle/technical-articles/page/Enabling_SSL_on_Tomcat_with_a_Public_Certifica... 

I have only ever done signing for IIS and winboxes, there seems to be no way in specifying the multi SAN, ie the servers themselves as well as the main URL that i specify, is this not needed for tomcat certs i always assumed you needed to list the local servers, or because we have a external cert terminating at the loadbalancer with the same domain url do we just need the URL domain only on the local cert to continue the 'journey'

 

sorry for the word 'soup'

1 REPLY 1

L-plateAdmin
Contributor

Ok so to confirm what i found, i now understand a lot to CAs can take extra 'SAN' address when applying but just in case, with Keytool in java 7 and upwards (i recon most guides are written in v6 or lower) you can augment the keystore creation AND the cert request command with '-ext' after the allias for example

-ext SAN="dns:url1,dns:server2_fqdn,dns:server2_fqdn"

 

shame it took me so long to find the answer...