This is a quick example demonstrating how to use Java 8's server-side SNI support in Netty.

SniKeyManager is a key manager which wraps around the default key manager. It forwards most methods to the default key manager. However, it implements its own logic for the chooseEngineServerAlias() method - using SNI to pick which certificate to use.

I've included an example key store with two self-signed certificates for test1.example.com and test2.example.com.

You can use openssl s_client to check it works:

$ openssl s_client -connect localhost:8443 -servername test1.example.com 2>&1 | grep "subject="
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=test1.example.com

$ openssl s_client -connect localhost:8443 -servername test2.example.com 2>&1 | grep "subject="
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=test2.example.com

If an unknown hostname is given, it falls back to test1.example.com:

$ openssl s_client -connect localhost:8443 -servername unknown.example.com 2>&1 | grep "subject="
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=test1.example.com

If the client does not support SNI, it also falls back to test1.example.com:

$ openssl s_client -connect localhost:8443 2>&1 | grep "subject="
subject=/C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=test1.example.com