RE: SSLHostConfig question
Thank you Chris! Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Christopher Schultz > Sent: Tuesday, September 26, 2023 5:49 PM > To: users@tomcat.apache.org > Subject: Re: SSLHostConfig question > > Jonm > > On 9/26/23 15:07, Mcalexander, Jon J. wrote: > > Thank you, but which format of the line is correct? > > > > certificateKeystoreType="pkcs12" > > > > or > > > > certificateKeystore="path to pfx file" type="pkcs12" > > https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0- > doc/config/http.html*SSL_Support_- > _Certificate__;Iw!!F9svGWnIaVPGSwU!qCp4SoLLBDygK5Nnm9Rt0079tFHSD > 5l0E1FK_qlMaNuRe1gzbj65XM4I-eFo2lfYoP_1XSx20Ph_opEI- > ChtAbTAYVqev6Nm$ > > Here are the relevant attributes: > > certificateKeystoreFile : path to your file certificateKeystoreType : type of > keystore file type : type of /key/ (choose RSA, EC, or DSA - but don't choose > DSA) > > -chris > > >> -Original Message- > >> From: Mark Thomas > >> Sent: Tuesday, September 26, 2023 11:54 AM > >> To: users@tomcat.apache.org > >> Subject: Re: SSLHostConfig question > >> > >> On 26/09/2023 16:50, Christopher Schultz wrote: > >>> Jon, > >>> > >>> On 9/26/23 11:32, Mcalexander, Jon J. wrote: > >>>> I have a question around the SSLHostConfig SSL Connector in Tomcat. > >>>> In the section, if the SSL Certificate is in a > >>>> Windows PFS Keystore, is it appropriate to add > >>>> > >>>> certificateKeystoreType="PFX" > >>>> > >>>> or > >>>> > >>>> certificateKeystore="path to pfx file" type="PFX" > >>>> > >>>> I'm finding reference to certificateKeystoreType, but not in > >>>> regards to PKCS12/PFX types. > >>> > >>> I don't think Tomcat supports "PFX" files per-se, but the intertubes > >>> say that PFX is PKCS12, which IS supported. So try using "PKCS12" > >>> which I think is the default. > >> > >> Default for all keystore types is JKS. > >> > >> As Chris says, "pkcs12" should work. > >> > >> Mark > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLHostConfig question
Jonm On 9/26/23 15:07, Mcalexander, Jon J. wrote: Thank you, but which format of the line is correct? certificateKeystoreType="pkcs12" or certificateKeystore="path to pfx file" type="pkcs12" https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Certificate Here are the relevant attributes: certificateKeystoreFile : path to your file certificateKeystoreType : type of keystore file type : type of /key/ (choose RSA, EC, or DSA - but don't choose DSA) -chris -Original Message- From: Mark Thomas Sent: Tuesday, September 26, 2023 11:54 AM To: users@tomcat.apache.org Subject: Re: SSLHostConfig question On 26/09/2023 16:50, Christopher Schultz wrote: Jon, On 9/26/23 11:32, Mcalexander, Jon J. wrote: I have a question around the SSLHostConfig SSL Connector in Tomcat. In the section, if the SSL Certificate is in a Windows PFS Keystore, is it appropriate to add certificateKeystoreType="PFX" or certificateKeystore="path to pfx file" type="PFX" I'm finding reference to certificateKeystoreType, but not in regards to PKCS12/PFX types. I don't think Tomcat supports "PFX" files per-se, but the intertubes say that PFX is PKCS12, which IS supported. So try using "PKCS12" which I think is the default. Default for all keystore types is JKS. As Chris says, "pkcs12" should work. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLHostConfig question
Mark, On 9/26/23 12:54, Mark Thomas wrote: On 26/09/2023 16:50, Christopher Schultz wrote: Jon, On 9/26/23 11:32, Mcalexander, Jon J. wrote: I have a question around the SSLHostConfig SSL Connector in Tomcat. In the section, if the SSL Certificate is in a Windows PFS Keystore, is it appropriate to add certificateKeystoreType="PFX" or certificateKeystore="path to pfx file" type="PFX" I'm finding reference to certificateKeystoreType, but not in regards to PKCS12/PFX types. I don't think Tomcat supports "PFX" files per-se, but the intertubes say that PFX is PKCS12, which IS supported. So try using "PKCS12" which I think is the default. Default for all keystore types is JKS. As Chris says, "pkcs12" should work. Most recent JVMs will open a JKS file or PKCS12 file regardless of which type you actually specify. That was their solution to switching the default from JKS to PKCS12. At this point, Tomcat should probably issue a warning if the type is "JKS" and just tell users "stop using JKS, use PKCS12 instead". -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSLHostConfig question
Thank you, but which format of the line is correct? certificateKeystoreType="pkcs12" or certificateKeystore="path to pfx file" type="pkcs12" Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: Mark Thomas > Sent: Tuesday, September 26, 2023 11:54 AM > To: users@tomcat.apache.org > Subject: Re: SSLHostConfig question > > On 26/09/2023 16:50, Christopher Schultz wrote: > > Jon, > > > > On 9/26/23 11:32, Mcalexander, Jon J. wrote: > >> I have a question around the SSLHostConfig SSL Connector in Tomcat. > >> In the section, if the SSL Certificate is in a > >> Windows PFS Keystore, is it appropriate to add > >> > >> certificateKeystoreType="PFX" > >> > >> or > >> > >> certificateKeystore="path to pfx file" type="PFX" > >> > >> I'm finding reference to certificateKeystoreType, but not in regards > >> to PKCS12/PFX types. > > > > I don't think Tomcat supports "PFX" files per-se, but the intertubes > > say that PFX is PKCS12, which IS supported. So try using "PKCS12" > > which I think is the default. > > Default for all keystore types is JKS. > > As Chris says, "pkcs12" should work. > > Mark > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLHostConfig question
On 26/09/2023 16:50, Christopher Schultz wrote: Jon, On 9/26/23 11:32, Mcalexander, Jon J. wrote: I have a question around the SSLHostConfig SSL Connector in Tomcat. In the section, if the SSL Certificate is in a Windows PFS Keystore, is it appropriate to add certificateKeystoreType="PFX" or certificateKeystore="path to pfx file" type="PFX" I'm finding reference to certificateKeystoreType, but not in regards to PKCS12/PFX types. I don't think Tomcat supports "PFX" files per-se, but the intertubes say that PFX is PKCS12, which IS supported. So try using "PKCS12" which I think is the default. Default for all keystore types is JKS. As Chris says, "pkcs12" should work. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSLHostConfig question
Jon, On 9/26/23 11:32, Mcalexander, Jon J. wrote: I have a question around the SSLHostConfig SSL Connector in Tomcat. In the section, if the SSL Certificate is in a Windows PFS Keystore, is it appropriate to add certificateKeystoreType="PFX" or certificateKeystore="path to pfx file" type="PFX" I'm finding reference to certificateKeystoreType, but not in regards to PKCS12/PFX types. I don't think Tomcat supports "PFX" files per-se, but the intertubes say that PFX is PKCS12, which IS supported. So try using "PKCS12" which I think is the default. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
