Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 51E04200CDE for ; Tue, 8 Aug 2017 15:22:46 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 50541161673; Tue, 8 Aug 2017 13:22:46 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 9BE7A161B59 for ; Tue, 8 Aug 2017 15:22:45 +0200 (CEST) Received: (qmail 17999 invoked by uid 500); 8 Aug 2017 13:22:44 -0000 Mailing-List: contact dev-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Developers List" Delivered-To: mailing list dev@tomcat.apache.org Received: (qmail 17988 invoked by uid 99); 8 Aug 2017 13:22:44 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 08 Aug 2017 13:22:44 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id DCBF31A02FC for ; Tue, 8 Aug 2017 13:22:43 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 0.38 X-Spam-Level: X-Spam-Status: No, score=0.38 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id Mw1LwcSEm6SH for ; Tue, 8 Aug 2017 13:22:39 +0000 (UTC) Received: from mail-oi0-f46.google.com (mail-oi0-f46.google.com [209.85.218.46]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id E89C95F570 for ; Tue, 8 Aug 2017 13:22:38 +0000 (UTC) Received: by mail-oi0-f46.google.com with SMTP id g131so31970241oic.3 for ; Tue, 08 Aug 2017 06:22:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=a70K4sY1aKWoce5TZe7SpKyms8QzXCs7pGq8JG6Q+To=; b=K1cYNcsB0riJTAF5/AIoTIs2t96Ws6ucxGIHgGSXqZD0pzbcBt+n333BEtmhJAYdZs 1vwJ2AbU6PG9T/iBRFgkJVDhdtH697DOPS1KEcaHfgz+iqmY3k7HMg9obl3UhfnwtpaT VkuXfV9/ak2Pf1Lyt5/G2Ta7LcCRFUDMRhdvQU/tG4VOj6M/DrcMi/8rS6eH94wuVB4o unwJnnzK2Vrs1mh7Uw3CgQvAiCij5EG21wgR4M+iXRD63V1c3Ub5xqwtLmVO/z5LeQ9B W65L9U9O4ezLFWNA/2HFMaOen15Xrs4MHwbjo0Xf06jlGuFfyKWVwXGEHJ/fb8v6/vrI FmtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=a70K4sY1aKWoce5TZe7SpKyms8QzXCs7pGq8JG6Q+To=; b=fIpm/JtZMScZ5HKZN/U9AwWFM5Pd/RyRc9D+IGclt/cd5xzHhevJSjtMSQ2/aMBW42 H2R1Lj8Fc7+3v5C1EjJthwAAwS99sTcmuzUHZG+33k5t2Etl7vE6/FEDHzjLIESS82E2 cv/MmqX29Tu4DorZv5JMtlciCQ5QNUoXJjFcaMWojoy5sl7BPKTAsGkYA9+U6ezjRZco EBBPW+zQWnpTKygUjyCI46CxtUv/uyK+TggEm2W9S7VV/gfD14XfgSOeXfWpA2ilTu7s WVzB1NhpGsnm3k25YWbqQEfDGuEG/RofJUiVQ+Xwbca3gNylk3HTIOCPTB/XwF7I2g2h 0b3w== X-Gm-Message-State: AHYfb5hJkFpvGCGo94Lme5E4r5mD5LoF0V2rz0dd9WLlFqaA9kzmjkoB PtTVItkjIBrcgYlSFC+EAErf6jKeaB+ZT+U= X-Received: by 10.202.245.10 with SMTP id t10mr3315258oih.59.1502198557764; Tue, 08 Aug 2017 06:22:37 -0700 (PDT) MIME-Version: 1.0 Received: by 10.74.137.75 with HTTP; Tue, 8 Aug 2017 06:22:37 -0700 (PDT) In-Reply-To: References: <26897d05-0174-0dd1-e6f5-79b38aa9ebcc@apache.org> From: Konstantin Kolinko Date: Tue, 8 Aug 2017 16:22:37 +0300 Message-ID: Subject: Re: Test keys and certs To: Tomcat Developers List Content-Type: text/plain; charset="UTF-8" archived-at: Tue, 08 Aug 2017 13:22:46 -0000 2017-08-08 16:03 GMT+03:00 Mark Thomas : > On 08/08/17 13:59, George Stanchev wrote: > > > >> Is it possible the recent changes [1] has affected it? Chrome no longer looks in CN, which is ignored but rather expects SAN to be filled up. Perhaps Tomcat's test certs lack SAN? >> >> [1] https://www.thesslstore.com/blog/security-changes-in-chrome-58/ > > That did affect the server cert and we fixed that a little while ago. I > don't believe it applies to user certs. The new user cert doesn't have a > SAN and it is now working correctly in Chrome. Interesting. It means that for a simple self-signed cert the instructions [1] have to be updated. Looking at docs [2], there are examples of using '-ext' switch to set a SAN keytool -alias ca -gencert -ext san=dns:ca1 Also -genkey switch was renamed to -genkeypair. [1] tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html [2] https://docs.oracle.com/javase/8/docs/technotes/tools/windows/keytool.html Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org For additional commands, e-mail: dev-help@tomcat.apache.org