tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Palmer <johnpalm...@gmail.com>
Subject Re: tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements
Date Tue, 12 Feb 2019 01:58:05 GMT
wow.  All working now. (I think- verifying the Client Cert prompt - borwser
is NOT prompting, but I may not have a cert for it to send)
certificateKeystoreFile etc instead of certificateKeyFile

and
truststoreFile instead of caCertificateFile

( I spent a lot of time searching and trying things. Glad I finally ASKED).

Thanks again.


On Mon, Feb 11, 2019 at 11:22 AM Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:42, John Palmer wrote:
> > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows
> > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12
> > format in the SSLHostConfig/Certificate elements for the keystore
> > and truststore.. (I would prefer to drop the JKS format for several
> > reasons) questions are: is this allowed?
>
> Absolutely. And switching away from JCEKS/JKS files is a good idea.
> They never should have existed in the first place.
>
> > if so, what am I doing wrong?
>
> :)
>
> > ...while the old (tomcat 7) connector element format works very
> > well... for example: <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx"
> > keystorePass="password" keystoreType="PKCS12" clientAuth="true"
> > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12"
> > truststorePass="password"
> >>
> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> > /> </Connector>
> >
> > trying to use these .pfx files in the new
> > Connector/SSLHostConfig/Certificate elements doesn't work: (there's
> > no equivalent to the ...Type attribute for certificateFile,
> > caCertificateFile, and the description for each says ..."The format
> > is PEM-encoded." and no equivalent for the ...Password attribute
> > for caCertificateFile).
>
> You want to use certificateKeystoreType="PKCS12" and
> certificateKeystoreFile="C:/certs/truststore.pfx". Don't use
> backslashes. They will ruin your life. (But in this case, it should
> not matter which kind of slash you use.)
>
> I notice that you have another thread where you are trying to use
> tcnative. If you are using tcnative with the APR connector, you cannot
> use keystores such as the above. But you are specifically using the
> NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I
> think you are okay.
>
> > <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> >>
> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> > /> <SSLHostConfig certificateVerification="optional"
> > caCertificateFile="C:\certs\trustStore.PFX"
> >>
>
> Change to truststoreFile="C:/certs/trustStore.PFX".
>
> > <Certificate certificateKeyFile="C:\certs\servername.pfx"
> > certificateKeyPassword="password" />
>
> Change to certificateKeystoreFile and make sure to set
> certificateKeystoreType="PKCS12". Also
> certificateKeystorePassword="password".
>
> > </SSLHostConfig> </Connector>
> >
>
> Hope that helps.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8
> pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR
> +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u
> LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD
> qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH
> hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb
> t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV
> Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5
> F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl
> cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN
> kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk
> SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo=
> =eR3x
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message