Moving over to internal SSL to replace built in CA on multiple WinSvr boxes
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-03-2023 10:51 AM
Hi All
So we are moving away to sign our own tomcat boxes that run windows behind a loadbalaner rather than linux so sorting out the new internal certs to take over from when the SSL terminates at the balancer.
As it seems the resulting jks file is just copied over to other servers after following this article.. https://learn.jamf.com/bundle/technical-articles/page/Enabling_SSL_on_Tomcat_with_a_Public_Certifica...
I have only ever done signing for IIS and winboxes, there seems to be no way in specifying the multi SAN, ie the servers themselves as well as the main URL that i specify, is this not needed for tomcat certs i always assumed you needed to list the local servers, or because we have a external cert terminating at the loadbalancer with the same domain url do we just need the URL domain only on the local cert to continue the 'journey'
sorry for the word 'soup'
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 07-10-2023 05:20 AM
Ok so to confirm what i found, i now understand a lot to CAs can take extra 'SAN' address when applying but just in case, with Keytool in java 7 and upwards (i recon most guides are written in v6 or lower) you can augment the keystore creation AND the cert request command with '-ext' after the allias for example
-ext SAN="dns:url1,dns:server2_fqdn,dns:server2_fqdn"
shame it took me so long to find the answer...