tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <billwbar...@verizon.net>
Subject Re: JSSE question
Date Wed, 09 Dec 2009 02:45:22 GMT

"Christopher Schultz" <chris@christopherschultz.net> wrote in message 
news:4B1ECBA6.1030509@christopherschultz.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Vadim,
>
> On 12/7/2009 1:25 PM, Vadim Letitchevski wrote:
>> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey 
>> /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile 
>> /etc/pki/tls/cacert.pem -caname root -chain
>>
>> I have used the password changeit.
>
> Note that you have created certificate in PKCS12 format, not a keystore.
> You now need to take the next step in the SSL HOWTO which is to use the
> Java 'keytool' utility to create a keystore.
>

Yes, the documentation in the SSL HOWTO is somewhat confusing :(.  There are 
actually two separate examples there (one for PKCS12 and one for JKS), but 
it isn't very clear from reading the doc where one ends and the other 
begins.  For PKCS12 you are done after creating the .p12 file (except for 
the undocumented part about adding the keystoreType to the <Connector />).

If anybody wants to take a crack at cleaning this up (with bonus points for 
adding a PKCS11 example), patches are always welcome.

>> Next I have edited server.xml to have these strings:
>>
>>     <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
>>     <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
>>                keystoreFile="conf/mycert.p12" keystorePass="changeit"
>
> If you are going to use the PKCS12 (.p12) format, you will probably have
> to set keystoreType="PKCS12". Check the documentation for the
> SSL-specific <Connector> attributes again.
>
>>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>>                enableLookups="false" disableUploadTimeout="true"
>>                scheme="https" secure="true"
>>                clientAuth="false" sslProtocol="TLS" />
>>
>>     <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
>>     <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
>>                keystoreFile="conf/mycert.p12" keystorePass="changeit"
>>                truststoreFile="conf/mycert.p12" truststorePass="changeit"
>
> Although I don't think it will hurt to have both, your keystore and
> truststore aren't the same thing. Check the documentation for these two
> attributes. Again, you may need to use truststoreType="PKCS12" if you
> want to use your .p12 file.
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAksey6YACgkQ9CaO5/Lv0PBwWQCgj6T+m87bL49GXvON7dzIaklo
> S74AnRnYM6IIuo8pMQe/bDAaSbwocXzg
> =k45M
> -----END PGP SIGNATURE----- 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message