Multiple SSL certificates in Glassfish

Let say, you have got a running Glassfish server, with a single domain name and a single SSL certificate. You may upload your SSL certificate to Glassfish and all is fine.

However, now let say you have several web sites on your Glassfish, and for each of them you wish to use a different SSL certificate. This makes sense since each could be a separate Domain Name validated certificate. This is where things get a bit more complicated.

Because Glassfish only let you set an SSL certificate to a network listener, you may be tempted to say ‘well, just create additional listeners’. Nope, because one listener can only listen to a said port at the same time for a said IP. And web browsers expect the default 443 port for SSL.

Now, you could create additional listeners to different IPs, why not, however wasting an IP for each web site may be costly and actually overkill. This is where SNI come handy.

SNI (Server Name Indication) is an extension to the TLS computer networking protocol. There is a great article covering what is SNI at Wikipedia. In short, it allows for a server to serve multiple SSL certificates from a single IP address.

The thing is, at time of writing, May 2016, Glassfish still has limited support of SNI. We are now using Glassfish version 4.1.1 and it is not there. As Hazrul wrote back in 2013, in his excellent article Glassfish can not do SSL for multiple virtual hosts, Glassfish SNI support was expected for Java 8 based GF release.

Well, GF 4.1.1 now recommend to use Java 8, which we can understand is to leverage on Java 8 functionality. But, still it does not show any sign of multiple SSL certificate handling. Perhaps it has just been forgotten as the feature was not considered a priority one. In any case, we can imagine that keeping GF updated is a huge work, and Glassfish is really a great server.

Hopefully, this Glassfish SNI issue may change with future versions. For now on, a proper workaround is to set up a SNI supporting web server in front of GF. It brings additional benefits, such as not exposing GF to the world, speeding static content delivery, easier implementation of various features.

The detailed procedure how to front GF with Apache is available here, allowing multiple SSL certificates for your Glassfish web sites.

Last, perhaps you could use IPV6 and multiple network listeners. This would have to be tried. However, adding an SSL certificate to GF keystore/cacerts for each such listeners could be cumbersome, and your domain.xml file could end up huge. Think of it if you have thousands sites, even just hundreds.

For all the above reasons, and performance, fronting GF with a web server seems the best approach.