tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Don Flinn <fl...@alum.mit.edu>
Subject Re: Trying to understand How Tomcat uses Keystore for SSL
Date Tue, 28 Nov 2017 21:55:33 GMT
Chris,

Thanks for the corrections.

>>In fact, I think you are using PEM-encoded DER files and not a
>>packaged keystore, even though your SSLHostConfig's keystoreType is
>>set to "PKCS12".

Yes, I am using PEM files.  Got to read more on DER files.  So do I just
drop the keystoreType="PKCS12"  from the connector?

>I'll have to triple-check, but I believe you can put all certificates
>into a single file like you can do with httpd. Just make sure that
>your server's certificate (leaf) is listed first, then the
>intermediate certificate(s), then the root certificate. Usually you do
>not need to supply the root certificate since most clients should have
>the root certificates available already.

I'll give that a try.

>Use SSL Labs' SSLTest[1] to help make sure you don't have too little
>or too much in your certificate. Too little and your clients will get
>trust errors. Too much and you'll be wasting bandwidth

Will do

>If there's anything inaccurate on the Tomcat site

No, I was talking about other sites, not the Tomcat site.  I've been
reading all over the internet for that which seems related.  My statement
was a caution to not believe everything you read.  'Trust but verify'

Your e-mail has been very helpful, not only to me, but I believe to
others.  With respect to the Tomcat site, I think a
lot of what you wrote would be very helpful there.  For example, the Tomcat
write up on SSL describes how to do self signed certificates and
fleetingly mentions
that if you have a certificate from a CA that you could use e.g. openssl
and then refers the reader to their java documentation and openssl
documentation.  Not too helpful to the security/Tomcat novice.

Thanks for your patience and help.
Don


On Tue, Nov 28, 2017 at 12:59 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Don,
>
> On 11/27/17 10:47 AM, Don Flinn wrote:
> > My previous mail was cryptic.  Below is a fuller explanation of
> > what I did to get things running.
> >
> > First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and
> > up has been expanded.  Chris suggested that I use PKCS12 rather
> > than JDK keystore, which I have done.
>
> Actually, at this point, I'd be using the PEM-encoded DER files (just
> like httpd does) instead of a packaged cert/key bundle, just because I
> find those easier to deal with.
>
> > I'm also using the APR configuration.  So redirected connector that
> > I'm using looks like:
> >
> > <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
> > port="8443" maxThreads="150" SSLEnabled="true">
> >
> > <SSLHostConfig> keystoreType="PKCS12" <Certificate
> > certificateKeyFile="C:/users/don/Security/domain.key"
> > certificateFile="C:/users/don/Security/domain-chain.crt"
> > certificateChainFile="C:/users/don/Security/ICDTrustRoot.crt"
> > type="RSA" /> </SSLHostConfig>
> >
> > </Connector>
>
> In fact, I think you are using PEM-encoded DER files and not a
> packaged keystore, even though your SSLHostConfig's keystoreType is
> set to "PKCS12".
>
> > The domain key is the private key I used when getting the
> > certificates from letsencrypt.  The certificate I got from
> > letsencrypt I called domain-chain.crt. Lastly I downloaded the
> > ICDTrustRoot.crt from the letsencrypt at
> > https://letsencrypt.org/certificates.
>
> If you use a tool like certbot-auto (which may or may not be available
> for Windows), all of this is done automatically for you.
>
> > You will notice that I'm using Window's syntax, which is just for
> > the pathname where the certificates live.  You would use a Linux
> > path syntax if you are running Linux.  You need three certificates
> > for letsencrypt; a cert for your domain, one for the intermediate
> > and finally the root certificate.
>
> +1
>
> > What I call domain-chain.crt holds two certificates; my domain
> > certificate and the intermediate.  In order to see what these were
> > I separated them in a text editor and called them domaincert1.crt
> > and the second domaincert2.crt Then I used openssl to see what was
> > in them.  For example:
> >
> > openssl x509 -noout -subject -issuer -in domaincert1.crt this
> > printed out subject= /CN=info.finwoks.com issuer= /C=US/O=Let's
> > Encrypt/CN=Let's Encrypt Authority X3
> >
> > So that one was my domain cert issued by the letsencrypt
> > intermediate
> >
> > The second one certificate gave subject= /C=US/O=Let's
> > Encrypt/CN=Let's Encrypt Authority X3 issuer= /O=Digital Signature
> > Trust Co./CN=DST Root CA X3
> >
> > which is the intermediate.
>
> I'll have to triple-check, but I believe you can put all certificates
> into a single file like you can do with httpd. Just make sure that
> your server's certificate (leaf) is listed first, then the
> intermediate certificate(s), then the root certificate. Usually you do
> not need to supply the root certificate since most clients should have
> the root certificates available already.
>
> Use SSL Labs' SSLTest[1] to help make sure you don't have too little
> or too much in your certificate. Too little and your clients will get
> trust errors. Too much and you'll be wasting bandwidth sending the
> root CA certificate to clients who don't need it.
>
> > I downloaded the certificates using the java program mentioned in
> > my previous e-mail. Depending on your particular setup, you can get
> > the four items using different methods.  I would suggest that you
> > check what the various certificates contain by using the ssl
> > commands. I've also read that the order of the certificates should
> > be
> >
> > Your domain Intermediate Known Root
> >
> > So that's the order I used.  A caution, in my reading I have found
> > some directions not to be accurate.
>
> If there's anything inaccurate on the Tomcat site, please post here.
> If there's anything inaccurate with the httpd site, please post to the
> httpd-users list ... or here if you are super lazy and maybe one of
> the lurking httpd committers will take care of the problem.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlodo/YdHGNocmlzQGNo
> cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhuYQ//Tigpqew5deTYJQkv
> fQDyNFReS+G4jfv2RqX9a01xOVPTz3lvHjD3HbKnvSAMDf96fBkoF6WNNz7i0wEH
> hnbOw1ETh8AWDVrkyT1nQkqPOpYEGIP+me53q2d1FpSAtgjedHQQ4ccGDOlM2ygn
> fgtaKZ1fyvvNdqAnUw2vFE17UFQnkNsMpfG51l12GxJkd3HyxqQTXUd19qxqsqKg
> FhWvTdL4HYEyRF8U+8aNhyrOQvDFx0NKaP22YsHX3HuIEKknnOl9B+1QXx0WtwO0
> G6txDUgS9bkU5vCZsdaJ+26BaMhGA+ndm+mGAOmmEjdLVNEHQUSxCxqYg5SO0Uby
> yY0pF4cXzyy8LJxtLuvTKAq4bxB0Pl/zpYmwq84+E7DB99m87kmRF3/2rdavfoQY
> Fz94kM8zK5+cJszh/Y7d14iRHBlSi8fxQxiZ7eIbHyE55cB9HP7RbG/AtN2Grlti
> qCsI8rX+KAYFohpjZVb4dz74SUjdtjVl7j+ZESQDdgR+HoMt9T199THOiSHb23OY
> ahGOtGdsA0QWOwfkfx+P+HlXyngRe60NFhn/mSSpKVbkfXsS0fP7H3xBjhWat0Uo
> AVkmuSXBS+DjNQiJR6pVcAfTZM5cBHnx/dmaCmdf/+cUWGhBjetBx5psRUisAwrI
> XzH0Rm64sFKBMBqw7DstT7Z6pgk=
> =DsYU
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message