tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lyallex <>
Subject Re: renewing an ssl certificate
Date Thu, 06 Apr 2017 09:52:22 GMT
On 6 April 2017 at 00:42, Christopher Schultz
<> wrote:
> Hash: SHA256
> Lyllax,
> On 4/4/17 3:11 PM, Lyallex wrote:
>> After some sterling support from this list a while ago which
>> included a code change I have been successfully running Apache
>> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a
>> year now without problems, it just works, it never falls over and
>> it has withstood some concerted attacks by all sorts of scallywags.
>> Impressive.
> Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
> have a testing environment, I think you'll be able to do it in about
> 30 minutes. After you do it once, it'll take you more like 5 minutes.

Already runnung on my dev and stage boxes


> It should be that simple every time. Again, always keep a backup...

All I do is create a brand new keystore in a new location and do
everything from there
When I'm happy I simply change the location of the keystore in the
relevant connector in conf/server.xml
and restart tomcat. If it all goes belly up I simply change the config
to point to the old keystore.

Of course this only works if you don't leave everything to the last
minute and the old cert times out :-)


> When you are using PEM files, it's very clear what everything is, and,
> if you have a one-PEM-file-to-rule-them-all, then you can at least see
> everything labelled appropriately with a simple text editor. You can
> also get your private key out of the bundle without resorting to
> chicanery.

I get a zipped archive from Comodo containing individual files but
I'll look into pem files

> Come to this year's ApacheCon NA in Miami. There will be a few talks
> about TLS, including one on the basics and another one on using Let's
> Encrypt to get free automated certs so you never have to manually do
> this process ever again -- unless you want an EV cert ;)

Love to, but I'm in the UK.
I delegate payment to a service provider, the only external resource I
use, so I don't store
users financial data, just makes life simpler.and means I don't really
need an EV cert.

Despite their vehement denial, https is a ranking signal to Google,
maybe it would be nice if they offered a free basic ssl cert so small
businesses like mine don't have to pay over GBP 100 inc VAT every

I won't hold my breath.

Thanks for taling the time to reply

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message