How can I have multiple SSL certificates for a Java server

Question

I have an in-house HTTP server written in Java; full source code at my disposal. The HTTP server can configure any number of web sites, each of which will have a separate li

Answer 1

I recently ran into a similar situation. I have a custom embedded Java web server that can host any number of websites. Each website has its own domain name. Each website/domain is assigned a unique IP address on the server. A socket listener is created for each IP address on port 80.

For sites that have SSL certificates, I imported the keys and certificates into a single KeyStore. I assigned a certificate alias for each domain's SSL Certificates to match the domain name. Each domain/website that has an SSL Certificate is assigned a new socket listener on port 443.

By default, the standard Java X509KeyManager and the SunX509 implementation will pick the first aliases it finds for which there is a private key and a key of the right type for the chosen cipher suite (typically RSA). Unfortunately, the selected alias does not necessarily correspond to the requested domain so you end up with certificate errors.

To circumvent this issue, I used ZZ Coder's suggestion and implemented a custom X509KeyManager. Actually, for my server, I needed a X509ExtendedKeyManager which has an extra chooseEngineServerAlias() method.

My custom KeyManager relies on a hashmap of hostnames and their corresponding IP addresses. When a new SSL request is made, it checks the incoming IP address and finds the corresponding hostname. Then, it tries to find an alias in the keystore that corresponds to the hostname.

private class MyKeyManager extends X509ExtendedKeyManager implements X509KeyManager {
    private KeyStore keyStore;
    private char[] password;
    private java.util.HashMap hosts;

    public MyKeyManager(KeyStore keystore, char[] password, java.util.HashMap hosts) 
    throws IOException, GeneralSecurityException {
        this.keyStore = keystore;
        this.password = password;
        this.hosts = hosts;
    }

    public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) {
        try{
            return hosts.get(InetAddress.getByName(engine.getPeerHost()));
        }
        catch(Exception e){
            return null;
        }
    }

    public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
        return hosts.get(socket.getLocalAddress());
    }

    public PrivateKey getPrivateKey(String alias) {
        try {
            return (PrivateKey) keyStore.getKey(alias, password);
        } 
        catch (Exception e) {
            return null;
        }
    }

    public X509Certificate[] getCertificateChain(String alias) {
        try {
            java.security.cert.Certificate[] certs = keyStore.getCertificateChain(alias);
            if (certs == null || certs.length == 0) return null;
            X509Certificate[] x509 = new X509Certificate[certs.length];
            for (int i = 0; i < certs.length; i++){
                x509[i] = (X509Certificate)certs[i];
            }
            return x509;
        } 
        catch (Exception e) {
            e.printStackTrace();
            return null;
        }          
    }

    public String[] getServerAliases(String keyType, Principal[] issuers) {
        throw new UnsupportedOperationException("Method getServerAliases() not yet implemented.");
    }

    public String[] getClientAliases(String keyType, Principal[] issuers) {
        throw new UnsupportedOperationException("Method getClientAliases() not yet implemented.");
    }

    public String chooseClientAlias(String keyTypes[], Principal[] issuers, Socket socket) {
        throw new UnsupportedOperationException("Method chooseClientAlias() not yet implemented.");
    }

    public String chooseEngineClientAlias(String[] strings, Principal[] prncpls, SSLEngine ssle) {
        throw new UnsupportedOperationException("Method chooseEngineClientAlias() not yet implemented.");
    }        
}

The custom KeyManager is used initialize an SSLContext. The cool thing is that you only need to initialize one SSLContext.

javax.net.ssl.KeyManager[] kms = new javax.net.ssl.KeyManager[]{
     new MyKeyManager(keystore, keypass, hosts)
};
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(keystore);
javax.net.ssl.TrustManager[] tms = tmf.getTrustManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kms, tms, null);

UPDATE

I ran into a situation where the engine.getPeerHost() wasn't working as expected so I had to refactor the chooseEngineServerAlias() method to rely on SNI instead.

public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine) {
    if (alias!=null) return alias;
    else{
        try{

          //Get hostname from SSL handshake
            ExtendedSSLSession session = (ExtendedSSLSession) engine.getHandshakeSession();
            String hostname = null;
            for (SNIServerName name : session.getRequestedServerNames()) {
                if (name.getType() == StandardConstants.SNI_HOST_NAME) {
                    hostname = ((SNIHostName) name).getAsciiName();
                    break;
                }
            }


            String[] arr = hostname.split("\\.");
            hostname = arr[arr.length-2] + "." + arr[arr.length-1];
            return aliases.get(InetAddress.getByName(hostname));
        }
        catch(Exception e){
            return null;
        }
    }
}