For a web application that allows users to create business websites and bind their own domains. All the domains will be mapped to the same IP address, and one port is used for all. For example, https://mydomain1.com https://mydomain2.com https://mydomain3.com The number of domains is unlimited. Each user should be able to upload a SSL certificate for his/her own domain, and the certificate can be stored in database or file system. Many users are using the web application at the time, and thus server restart is not acceptable. Tomcat9 can provide a SSL provider interface like: getCertificate(domain). How to get the certificate is up to the provider implementation. SSL should be configured dynamically at the run time without server restart.
Tomcat doesn't want to get into the details of where the meta-data is stored. It is already possible to add virtual hosts dynamically. What isn't currently possible is adding an SSLHostConfig to an Endpoint. That doesn't look too tricky. I'll take a look.
Adding TLS virtual hosts (or in implementation terms SSLHostConfigs to an Endpoint) dynamically will be supported in 9.0.0.M9 and 8.5.4 onwards.
From the following example from Tomcat9 migration guide: <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="openoffice.apache.org" > <SSLHostConfig hostName="openoffice.apache.org" > <Certificate certificateKeyFile="conf/openoffice.apache.org-rsa-key.pem" certificateFile="conf/openoffice.apache.org-rsa-cert.pem" type="RSA" /> <Certificate certificateKeyFile="conf/openoffice.apache.org-ec-key.pem" certificateFile="conf/openoffice.apache.org-ec-cert.pem" type="EC" /> </SSLHostConfig> <SSLHostConfig hostName="www.openoffice.org" > <Certificate certificateKeyFile="conf/www.openoffice.org-rsa-key.pem" certificateFile="conf/www.openoffice.org-rsa-cert.pem" type="RSA" /> <Certificate certificateKeyFile="conf/www.openoffice.org-ec-key.pem" certificateFile="conf/www.openoffice.org-ec-cert.pem" type="EC" /> </SSLHostConfig> </Connector> Does it require server restart after adding a new domain and its certificate? Can it be scaled to thousands of domains? The use case is that a web app allows users (thousands or millions) to bind their own domains and upload SSL certificates. Can Tomcat9 handle the use case? Thanks.