tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Trying to understand How Tomcat uses Keystore for SSL
Date Tue, 28 Nov 2017 17:59:18 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Don,

On 11/27/17 10:47 AM, Don Flinn wrote:
> My previous mail was cryptic.  Below is a fuller explanation of
> what I did to get things running.
> 
> First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and
> up has been expanded.  Chris suggested that I use PKCS12 rather
> than JDK keystore, which I have done.

Actually, at this point, I'd be using the PEM-encoded DER files (just
like httpd does) instead of a packaged cert/key bundle, just because I
find those easier to deal with.

> I'm also using the APR configuration.  So redirected connector that
> I'm using looks like:
> 
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
> port="8443" maxThreads="150" SSLEnabled="true">
> 
> <SSLHostConfig> keystoreType="PKCS12" <Certificate
> certificateKeyFile="C:/users/don/Security/domain.key" 
> certificateFile="C:/users/don/Security/domain-chain.crt" 
> certificateChainFile="C:/users/don/Security/ICDTrustRoot.crt" 
> type="RSA" /> </SSLHostConfig>
> 
> </Connector>

In fact, I think you are using PEM-encoded DER files and not a
packaged keystore, even though your SSLHostConfig's keystoreType is
set to "PKCS12".

> The domain key is the private key I used when getting the
> certificates from letsencrypt.  The certificate I got from
> letsencrypt I called domain-chain.crt. Lastly I downloaded the
> ICDTrustRoot.crt from the letsencrypt at
> https://letsencrypt.org/certificates.

If you use a tool like certbot-auto (which may or may not be available
for Windows), all of this is done automatically for you.

> You will notice that I'm using Window's syntax, which is just for
> the pathname where the certificates live.  You would use a Linux
> path syntax if you are running Linux.  You need three certificates
> for letsencrypt; a cert for your domain, one for the intermediate
> and finally the root certificate.

+1

> What I call domain-chain.crt holds two certificates; my domain
> certificate and the intermediate.  In order to see what these were
> I separated them in a text editor and called them domaincert1.crt
> and the second domaincert2.crt Then I used openssl to see what was
> in them.  For example:
> 
> openssl x509 -noout -subject -issuer -in domaincert1.crt this
> printed out subject= /CN=info.finwoks.com issuer= /C=US/O=Let's
> Encrypt/CN=Let's Encrypt Authority X3
> 
> So that one was my domain cert issued by the letsencrypt
> intermediate
> 
> The second one certificate gave subject= /C=US/O=Let's
> Encrypt/CN=Let's Encrypt Authority X3 issuer= /O=Digital Signature
> Trust Co./CN=DST Root CA X3
> 
> which is the intermediate.

I'll have to triple-check, but I believe you can put all certificates
into a single file like you can do with httpd. Just make sure that
your server's certificate (leaf) is listed first, then the
intermediate certificate(s), then the root certificate. Usually you do
not need to supply the root certificate since most clients should have
the root certificates available already.

Use SSL Labs' SSLTest[1] to help make sure you don't have too little
or too much in your certificate. Too little and your clients will get
trust errors. Too much and you'll be wasting bandwidth sending the
root CA certificate to clients who don't need it.

> I downloaded the certificates using the java program mentioned in
> my previous e-mail. Depending on your particular setup, you can get
> the four items using different methods.  I would suggest that you
> check what the various certificates contain by using the ssl
> commands. I've also read that the order of the certificates should
> be
> 
> Your domain Intermediate Known Root
> 
> So that's the order I used.  A caution, in my reading I have found
> some directions not to be accurate.

If there's anything inaccurate on the Tomcat site, please post here.
If there's anything inaccurate with the httpd site, please post to the
httpd-users list ... or here if you are super lazy and maybe one of
the lurking httpd committers will take care of the problem.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlodo/YdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhuYQ//Tigpqew5deTYJQkv
fQDyNFReS+G4jfv2RqX9a01xOVPTz3lvHjD3HbKnvSAMDf96fBkoF6WNNz7i0wEH
hnbOw1ETh8AWDVrkyT1nQkqPOpYEGIP+me53q2d1FpSAtgjedHQQ4ccGDOlM2ygn
fgtaKZ1fyvvNdqAnUw2vFE17UFQnkNsMpfG51l12GxJkd3HyxqQTXUd19qxqsqKg
FhWvTdL4HYEyRF8U+8aNhyrOQvDFx0NKaP22YsHX3HuIEKknnOl9B+1QXx0WtwO0
G6txDUgS9bkU5vCZsdaJ+26BaMhGA+ndm+mGAOmmEjdLVNEHQUSxCxqYg5SO0Uby
yY0pF4cXzyy8LJxtLuvTKAq4bxB0Pl/zpYmwq84+E7DB99m87kmRF3/2rdavfoQY
Fz94kM8zK5+cJszh/Y7d14iRHBlSi8fxQxiZ7eIbHyE55cB9HP7RbG/AtN2Grlti
qCsI8rX+KAYFohpjZVb4dz74SUjdtjVl7j+ZESQDdgR+HoMt9T199THOiSHb23OY
ahGOtGdsA0QWOwfkfx+P+HlXyngRe60NFhn/mSSpKVbkfXsS0fP7H3xBjhWat0Uo
AVkmuSXBS+DjNQiJR6pVcAfTZM5cBHnx/dmaCmdf/+cUWGhBjetBx5psRUisAwrI
XzH0Rm64sFKBMBqw7DstT7Z6pgk=
=DsYU
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message