tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: Test keys and certs
Date Tue, 08 Aug 2017 13:22:37 GMT
2017-08-08 16:03 GMT+03:00 Mark Thomas <markt@apache.org>:
> On 08/08/17 13:59, George Stanchev wrote:
>
> <snip/>
>
>> Is it possible the recent changes [1] has affected it? Chrome no longer looks in
CN, which is ignored but rather expects SAN to be filled up. Perhaps Tomcat's test certs lack
SAN?
>>
>> [1] https://www.thesslstore.com/blog/security-changes-in-chrome-58/
>
> That did affect the server cert and we fixed that a little while ago. I
> don't believe it applies to user certs. The new user cert doesn't have a
> SAN and it is now working correctly in Chrome.

Interesting.

It means that for a simple self-signed cert the instructions [1] have
to be updated.

Looking at docs [2], there are examples of using '-ext' switch to set a SAN

keytool -alias ca -gencert -ext san=dns:ca1

Also -genkey switch was renamed to -genkeypair.


[1] tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html
[2] https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message