Return-Path: 
 <users-return-250094-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id CCCBA17971
	for <apmail-tomcat-users-archive@www.apache.org>;
 Mon, 13 Oct 2014 08:56:29 +0000 (UTC)
Received: (qmail 90308 invoked by uid 500); 13 Oct 2014 08:56:20 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 90236 invoked by uid 500); 13 Oct 2014 08:56:20 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 90225 invoked by uid 99); 13 Oct 2014 08:56:20 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Oct 2014 08:56:20 +0000
X-ASF-Spam-Status: No, hits=-1.3 required=5.0
	tests=RCVD_IN_DNSWL_MED,SPF_SOFTFAIL
X-Spam-Check-By: apache.org
Received-SPF: softfail (nike.apache.org: transitioning domain of
 ognjen.d.blagojevic@gmail.com does not designate 147.91.1.120 as permitted
 sender)
Received: from [147.91.1.120] (HELO afrodita.rcub.bg.ac.rs) (147.91.1.120)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Oct 2014 08:55:53 +0000
Received: from [IPv6:2001:4170:0:4::66] (unknown [IPv6:2001:4170:0:4::66])
	by afrodita.rcub.bg.ac.rs (Postfix) with ESMTP id D1D2A191AA20
	for <users@tomcat.apache.org>; Mon, 13 Oct 2014 10:55:49 +0200 (CEST)
Message-ID: <543B9395.8070708@gmail.com>
Date: Mon, 13 Oct 2014 10:55:49 +0200
From: Ognjen Blagojevic <ognjen.d.blagojevic@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat 6 SSL issue
References: 
 <CAA9DabiBRQMjCpft08xg01m2T=WrP26-T23axwhz8v-4hNM_6g@mail.gmail.com>
In-Reply-To: 
 <CAA9DabiBRQMjCpft08xg01m2T=WrP26-T23axwhz8v-4hNM_6g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-RCUB-MailScanner-Information: Please contact the ISP for more information
X-RCUB-MailScanner-ID: D1D2A191AA20.AAB9E
X-RCUB-MailScanner: Found to be clean
X-RCUB-MailScanner-SpamCheck: not spam, SpamAssassin (not cached, score=-2.6,
	required 6, autolearn=not spam, BAYES_00 -2.60, NO_RELAYS -0.00)
X-Virus-Checked: Checked by ClamAV on apache.org

Baran,

On 10.10.2014 21:06, Baran Topal wrote:
> Then I received 2 files from the certificate authority, abc.com.cer
> and abc.om.p7b

What certificates do those files contain?


> <Connector port="443"
> maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" acceptCount="100"
> scheme="https" secure="true" SSLEnabled="true"
> clientAuth="false" sslProtocol="TLS"
> keyAlias="server" keystoreFile="/path/to/JKSfile/your_site_name.jks"
> keystorePass="your_keystore_password" />

Attribute maxSpareThreads is not listed in docs:

   http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

You could also add protocol attribute to force JSSE connector (BIO or 
NIO), to prevent connector auto-selection.


> To clean the things up, I want to delete my keystore but is it fine if
> I generate the key with another alias, e.g. tomcat as in the tomcat
> documentation?

Private key necessary for encryption is in your keystore. If you delete 
your private key, and generate new key pair in new keystore your signed 
certificate becomes worthless. You will need to ask your CA (and, 
possibly, pay) for another certificate.

If you just want to rename key in keystore, use "keytool -changealias".


> 2) I have the files, cer and crt (p7b), so is fine or should I need stg extra?

You would need complete certificate chain in order to set up HTTPS. You 
need to check do you have a complete chain in cer file or not.


> 3) Is the order of import important?`first crt then cer?

If you have the complete chain in cer file, then you will just import 
the cer file.


> 4) What are the correct import commands? Should I trust tomcat
> documentation or authorities documentation?

In what parts the two are different? You should use keytool -importcert 
command.

-Ognjen

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org