https://bz.apache.org/bugzilla/show_bug.cgi?id=57108
--- Comment #10 from Unlogic <[email protected]> --- Well this is a bit tricky because there is two sides to this coin. In some cases you have a wildcard certificates or subject alternative name certificates the cover lots of domains. In those cases the current connector based approach works fine fine. But if you turn things around and have lets say 50 domains all with their own host and certificate and maybe even a few aliases for some hosts that in turn also require separate certificates. In that case the host based approach would make things simpler since you can put everything inside the hosts element. A trade off between the two solutions could be to define the keystores using a separate element in the config like when you define a connection pool. And then make it possible for both the connectors, hosts and aliases to refer back to the defined keystores depending on the use case. Here's an example: <Keystore name="firstKeystore" truststoreFile="..." (and other truststore attributes) keystoreFile="..." (and other keystore attributes) [other allowed configuration attributes]> <Keystore name="secondKeystore" truststoreFile="..." (and other truststore attributes) keystoreFile="..." (and other keystore attributes) [other allowed configuration attributes]> <Keystore name="thirdKeystore" truststoreFile="..." (and other truststore attributes) keystoreFile="..." (and other keystore attributes) [other allowed configuration attributes]> <Connector ... /> (a generic https connector not bound to any particular keystore that instead looks up the keystore based on the host/alias) <Connector keystoreRef="firstKeystore" ... /> (a https connector bound to the specified keystore like current tomcat versions) <Host name="hostone.com"... /> (a host not bound to any particular keystore) <Host name="hosttwo.net" keystoreRef="secondKeystore" ... /> <Host name="hostthree.net" keystoreRef="secondKeystore" ...> <Alias keystoreRef="thirdKeystore">foo.com</Alias> <Alias keystoreRef="firstKeystore">boo.com</Alias> <Alias>moo.com</Alias> </Host> I hope that my example makes sense. It would make the keystore/certificate configuration a bit more flexible and support "both sides of the coin". -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
