tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeffrey Janner <Jeffrey.Jan...@PolyDyne.com>
Subject RE: Secure Tomcat With SSL
Date Mon, 28 Oct 2013 20:24:50 GMT
> -----Original Message-----
> From: Chris Arnold [mailto:carnold@electrichendrix.com]
> Sent: Saturday, October 26, 2013 7:47 PM
> To: Tomcat Users List
> Subject: Re: Secure Tomcat With SSL
> 
> >>Chris,
> 
> On 26.10.2013 23:39, Chris Arnold wrote:
> > Tomcat 7.0.42 on SLES11. I am following
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to
> secure tomcat. I have uncommented the SSL HTTP section. The
> configuration section of that doc, importing the certificate: i have a
> go daddy bundle in crt format. I can download the cert bundle from go
> daddy for tomcat but it also is a crt file. Do i have to run this exact
> command:
> >
> > openssl pkcs12 -export -in mycert.crt -inkey mykey.key \
> >                          -out mycert.p12 -name tomcat -CAfile
> myCA.crt \
> >                          -caname root -chain
> 
> >>It looks ok to me. Does it work for you?
> 
> It doesn't look like it will work as i do not have a ca file.
> 
> >>It will create PKCS#12 keystore file (mycert.p12), so you may:
> 
> >>1. add parameter keystoreType="pkcs12" to your HTTPS connector, and
> >>use that file, or 2. convert PKCS#12 keystore to Java Keystore
> format,
> >>and use default keystore type (JKS).
> 
> >>This is both possible, only if you plan to use either BIO or NIO HTTP
> >>connector. If you plan to use APR, connector configuration is
> >>completely different.
> 
> Not sure what either of these are. I just need secure tomcat
> 

Chris,
If it turns out you are using APR, when you export your signed certificate and CA-bundles,
just specify that you want them for "apache" not "tomcat".  Then you can reference the files
directly in the server.xml.
If you are using the java-based connectors, you should ask for "tomcat" signed certificates,
and I think you have to somehow combine them for use in the keystore (it's been a long time
since I did that, I'm APR only).
In other words, when you request a cert signed for "tomcat" at GoDaddy, it really means a
java keystore compatible certificate. When you select "apache" it really means an OpenSSL
compatible certificate.
Jeff

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Mime
View raw message