tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Trying to understand How Tomcat uses Keystore for SSL
Date Wed, 29 Nov 2017 14:37:26 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Don,

On 11/28/17 4:55 PM, Don Flinn wrote:
>>> In fact, I think you are using PEM-encoded DER files and not a 
>>> packaged keystore, even though your SSLHostConfig's
>>> keystoreType is set to "PKCS12".
> 
> Yes, I am using PEM files.  Got to read more on DER files.

PEM is an encoding, while DER is really the file format. It's like
saying "is this file text/plain or UTF-8?"

This is a great read for almost anyone who cares about x509 certificates
:

https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-ce
r-vs-pem-certificates-and-how-to-convert-them

> So do I just drop the keystoreType="PKCS12"  from the connector?
Theoretically, yes. The keystoreType is only used when there is a
keystore and not "certificate files", etc.

>> If there's anything inaccurate on the Tomcat site
> 
> No, I was talking about other sites, not the Tomcat site.  I've
> been reading all over the internet for that which seems related.
> My statement was a caution to not believe everything you read.
> 'Trust but verify'

Mark has given a number of presentations on TLS and they are very
accessible. Have a look at the slides (and some audio/video) on the
"presentations" page on the Tomcat site. Each of them has a varying
level of "introductoryness", but I think the more recent ones like
"Introduction to Tomcat and TLS" from TomcatCon in Miami are probably
the best ones to see for beginners.

> Your e-mail has been very helpful, not only to me, but I believe
> to others.  With respect to the Tomcat site, I think a lot of what
> you wrote would be very helpful there.  For example, the Tomcat 
> write up on SSL describes how to do self signed certificates and 
> fleetingly mentions that if you have a certificate from a CA that
> you could use e.g. openssl and then refers the reader to their java
> documentation and openssl documentation.  Not too helpful to the
> security/Tomcat novice.

Agreed. Would you care to write some new documentation and/or prepare
a patch for the site? IT's usually best when beginners write for their
own audience. I, for example, understand it backwards and forwards so
when I write I have a skewed perspective. Writing as a beginner can
re-focus the narrative for a different audience.

If you need any help grabbing the site from svn, etc. please just ask.

> Thanks for your patience and help.

You are more important than the software. No, really:
https://blogs.apache.org/foundation/entry/asf_15_community_over_code

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloexiYdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiY1Q//SLRGAzEuc2QzyvK9
svCG+s0HKA1QY+ubtdmoy+czFtm1b857uQ6L0Zo8KCp+edzYvTyd7iupGjPngEqr
5B9qRV3bcu3jsvMUcXEFe779MjjKsSX+m0jF8/9A1RtOvtEqqemlC6Q5AVuSZZUf
usSrTjXV2XyVlEtv0J5Rw+hMtLUpRwppg1LKAX5ZflHdhA1Zdq+TH6NSbLQlPr1z
WRzpLuOfSpt6Cnx2Kfqcwgop0EqCyPFcIqC3o2V+ONDQh4Z7FOdUNn70O03ympDg
fRMZbo8o0mX6RyjSk0nDFEfXLv2lafPoOrE5OUMvnuN4bZ472Jpq3nDtl0ZwYSIy
IcjXnfw+NUNTcIkJVz0K009/K/U8U4O4NBm5IBW4uFa2yapx717pB8H/Fmr6LvEr
FuIZG6wODc7YtN3kqbHR8J/3N1n3q6SM3CXyyjfazN0Kur0e4FOIE5WagzZTwQSm
K7LJsuIu84sVEShPcTB2CvTsaawJQj7clCM+eZngejuvuxSiwiC0u0zWKfoPDD8Z
bbXY69RJ0F1iKw7rgj+tr1KOxoNaDyHV8ys7CKinuG32hb37qzntygLrGZ0ZPOQZ
pUTuSsm1Zn/Zd/3oLWIhXJ9UZA5OfwhYYt6YwaTo4JYLhB1IsiVl9qqdzo2CQLIY
UHuG7kdiTBEig/ej+/RBOLZSI0k=
=6iU6
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message