tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Trying to understand How Tomcat uses Keystore for SSL
Date Tue, 28 Nov 2017 17:59:18 GMT
Hash: SHA256


On 11/27/17 10:47 AM, Don Flinn wrote:
> My previous mail was cryptic.  Below is a fuller explanation of
> what I did to get things running.
> First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and
> up has been expanded.  Chris suggested that I use PKCS12 rather
> than JDK keystore, which I have done.

Actually, at this point, I'd be using the PEM-encoded DER files (just
like httpd does) instead of a packaged cert/key bundle, just because I
find those easier to deal with.

> I'm also using the APR configuration.  So redirected connector that
> I'm using looks like:
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" 
> port="8443" maxThreads="150" SSLEnabled="true">
> <SSLHostConfig> keystoreType="PKCS12" <Certificate
> certificateKeyFile="C:/users/don/Security/domain.key" 
> certificateFile="C:/users/don/Security/domain-chain.crt" 
> certificateChainFile="C:/users/don/Security/ICDTrustRoot.crt" 
> type="RSA" /> </SSLHostConfig>
> </Connector>

In fact, I think you are using PEM-encoded DER files and not a
packaged keystore, even though your SSLHostConfig's keystoreType is
set to "PKCS12".

> The domain key is the private key I used when getting the
> certificates from letsencrypt.  The certificate I got from
> letsencrypt I called domain-chain.crt. Lastly I downloaded the
> ICDTrustRoot.crt from the letsencrypt at

If you use a tool like certbot-auto (which may or may not be available
for Windows), all of this is done automatically for you.

> You will notice that I'm using Window's syntax, which is just for
> the pathname where the certificates live.  You would use a Linux
> path syntax if you are running Linux.  You need three certificates
> for letsencrypt; a cert for your domain, one for the intermediate
> and finally the root certificate.


> What I call domain-chain.crt holds two certificates; my domain
> certificate and the intermediate.  In order to see what these were
> I separated them in a text editor and called them domaincert1.crt
> and the second domaincert2.crt Then I used openssl to see what was
> in them.  For example:
> openssl x509 -noout -subject -issuer -in domaincert1.crt this
> printed out subject= / issuer= /C=US/O=Let's
> Encrypt/CN=Let's Encrypt Authority X3
> So that one was my domain cert issued by the letsencrypt
> intermediate
> The second one certificate gave subject= /C=US/O=Let's
> Encrypt/CN=Let's Encrypt Authority X3 issuer= /O=Digital Signature
> Trust Co./CN=DST Root CA X3
> which is the intermediate.

I'll have to triple-check, but I believe you can put all certificates
into a single file like you can do with httpd. Just make sure that
your server's certificate (leaf) is listed first, then the
intermediate certificate(s), then the root certificate. Usually you do
not need to supply the root certificate since most clients should have
the root certificates available already.

Use SSL Labs' SSLTest[1] to help make sure you don't have too little
or too much in your certificate. Too little and your clients will get
trust errors. Too much and you'll be wasting bandwidth sending the
root CA certificate to clients who don't need it.

> I downloaded the certificates using the java program mentioned in
> my previous e-mail. Depending on your particular setup, you can get
> the four items using different methods.  I would suggest that you
> check what the various certificates contain by using the ssl
> commands. I've also read that the order of the certificates should
> be
> Your domain Intermediate Known Root
> So that's the order I used.  A caution, in my reading I have found
> some directions not to be accurate.

If there's anything inaccurate on the Tomcat site, please post here.
If there's anything inaccurate with the httpd site, please post to the
httpd-users list ... or here if you are super lazy and maybe one of
the lurking httpd committers will take care of the problem.

- -chris
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message