tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ognjen.d.blagoje...@gmail.com>
Subject Re: How to configure certificate file (*.cer) in Tomcat 6
Date Mon, 30 Jan 2012 11:36:48 GMT
Geet,

Bottom-posting style is standard on this list 
(http://en.wikipedia.org/wiki/Posting_style#Bottom-posting).


On 30.1.2012 5:42, Geet Chandra wrote:
> - The customer has got very secure environment...they don't want to use the
> *.keystore being shipped
> with particular product.

Uhm... lots of questions here:

1. By "*.keystore", do you mean keystore or truststore? Do you 
understand the difference between them?

2. Is your customer aware that there is no essential difference in term 
of security between JSSE and OpenSSL security implementations?

3. Do you plan to use client authentication via HTTPS or not? You are 
mentioning truststoreFile later.

4. Is your server certificate self signed or signed by trusted CA? If 
you don't use client authentication using HTTPS, and your server is 
signed by trusted CA, perhaps there is no need to ship certificate with 
your application.


> Is it possible to configure like this
>
> <Connector port="8446" maxHttpHeaderSize="8192"
> protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
>                 maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                 enableLookups="false" disableUploadTimeout="true"
>                 acceptCount="100" scheme="https" secure="true"
>                 clientAuth="want" sslProtocol="TLS"
>                 keystoreFile="c:/tomcat.keystore"
>                 truststoreFile ="C:/user.cer"
>               />
>       @END_ENABLESTANDALONEHTTPS@-->

No.

Parameters keystoreFile and truststoreFile are to be used with Java 
keystores. For .cer files (OpenSSL) you must use APR connector and SSL* 
attributes. See:

http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message