Does ssl certificate need to be installed with IP of tomcat

Rohini

5/18/23, 5:58 AM

I have ssl certificate installed on an AWS load balancer(app1.company.com) and one instance with Tomcat resides behind the LB.

If I open https://app1.company.com:8443/ I can see the connection is secure/valid lock on the url bar. If I open with private IP of Tomcat I see the connection is not secure sign.

I'm aware usually certificates only bind to domain(or are only supposed to). And no one is going to use the IP to reach the application except maybe the team that maintains the application. Now that I need to renew the certificate I am wondering if I should also install it on the tomcat keystore which is specified in $TOMCAT_HOME/conf/server.xml

        <Connector
           protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="/home/ec2-user/tomcat.keystore" keystorePass="password"
           clientAuth="false" sslProtocol="TLS"/>

Right now this file does not have the imported certificate for app1.company.com(because that is installed on the load balancer) Would if suffice to simply replace the new certificate in AWS load balancer and leave the Tomcat keystore as it is?

0 + 0

tomcat

load-balancing

ssl-certificate

amazon-web-services

keystore

Score:0

Server

Tim

5/18/23, 7:27 AM

I suggest you block direct access to the server as that's a back door into the server and a DDOS attack. I would do this by putting the Tomcat instance into a private subnet. If you must have it in a public subnet I would ensure only a few things can reach it - the ALB (using VPC CIDR range is easiest) and specified IPs. If it's private you can use AWS Session Manager to access the server from the AWS console.

Your ALB can use ACM (AWS Certificate Manager) which issues and renews certificates free. The only reason I can think to use another registrar is if you need extended validation certificates or some other feature. ACM certificates can only be used on load balancers and in CloudFront, not on your own server.

You could put a certificate onto the instance, but I'm not sure it's worth the bother.

0 + 0

Rohini

5/19/23, 5:38 AM

So it isnt necessary to import the new certificate into the machine's keystore right? The IP is private and within a VPC and we're using ALB. ACM sounds like a good option. Will check it

Tim

5/19/23, 7:43 AM

The method for installing a certificate varies between software. I've installed certificates on Nginx and the files are just put onto the file system and referenced. I don't know how Tomcat works.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Does ssl certificate need to be installed with IP of tomcat

TH: จำเป็นต้องติดตั้งใบรับรอง ssl ด้วย IP ของ Tomcat หรือไม่

RO: Trebuie instalat certificatul ssl cu IP-ul tomcat

RU: Нужно ли устанавливать ssl-сертификат с IP-адресом tomcat

VI: Có cần cài đặt chứng chỉ ssl với IP của tomcat không

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.