Re: Need help installing SSL certificate in tomcat keystore

[Christopher Schultz]

Mark,

On 5/30/24 08:46, Fung-A-Fat, Mark wrote:
I am running a java web app on windows 2019 server and need some help 
getting the SSL certificate installed into my keystore.


I am running tomcat 9.x and java 11

I am able to generate a certificate request using both keytool and/or 
openssl


For both the CSR file looks like this, but the openssl also generates a 
private key xxx.


-BEGIN NEW CERTIFICATE REQUEST-

MIIC2TCCAcECAQAwZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm1hMRAwDgYDVQQH

-END NEW CERTIFICATE REQUEST-

Private key from OPENSSL

-BEGIN PRIVATE KEY-
MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC5EqmuGM9nRQ5n
-END PRIVATE KEY-


You may have compromised your private key by posting it like this. I 
would start everything over again from scratch, starting with generating 
a new private key and CSR.


I use the CSR to submit a request to my company’s certificate server and 
I am able to download 2 files in DER format


The downloaded certificate has a name certnew.cer, the downloaded chain 
certificate has a name cernew.p7b and both appear to be binary because 
when I open them in notepad++ they are unreadable


.p12 and .p7 files are always binary. Are you able to get the files as 
PEM? That is, IMHO, the most convenient package format.


Not sure how I go about importing converting and importing these into my 
keystore using keytool.


The documenation is confusing to me as to what needs to be done.

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html 
<https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html>the section on 
importing the certificate does nto go into how to convert or merge the 
certificate or the certificate chain and also does not say anyting about 
a private keyfile


Has anyone out there done this consistenly and successfully.


You should be able to use keytool -importcert as described here:

https://stackoverflow.com/questions/15814569/import-pkcs7-chained-certificate-using-keytool-command-to-jks

When you do all of this start-to-finish, basically you do the following:

1. $ keytool -genkeypair -alias 'mykey' (creates key + self-signed cert 
in keystore, plus CSR)


2. Send CSR to CA for signing, get signed cert in return

3. $ keytool -importcert -alias 'mykey'

This will UPDATE THE CERT in your keystore with the one signed by the 
CA. Now, you are ready to use the signed certificate with Tomcat.


But definitely start over with a new private key. The one you posted 
shouldn't be trusted anymore.


Hope that helps,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Need help installing SSL certificate in tomcat keystore

[Fung-A-Fat, Mark]

I am running a java web app on windows 2019 server and need some help getting 
the SSL certificate installed into my keystore.

I am running tomcat 9.x and java 11

I am able to generate a certificate request using both keytool and/or openssl

For both the CSR file looks like this, but the openssl also generates a private 
key xxx.



-BEGIN NEW CERTIFICATE REQUEST-

MIIC2TCCAcECAQAwZDELMAkGA1UEBhMCdXMxCzAJBgNVBAgTAm1hMRAwDgYDVQQH

-END NEW CERTIFICATE REQUEST-



Private key from OPENSSL

-BEGIN PRIVATE KEY-

MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQC5EqmuGM9nRQ5n

-END PRIVATE KEY-



I use the CSR to submit a request to my company's certificate server and I am 
able to download 2 files in DER format

[cid:image002.png@01DAB26D.E0B15B70]

The downloaded certificate has a name certnew.cer, the downloaded chain 
certificate has a name cernew.p7b and both appear to be binary because when I 
open them in notepad++ they are unreadable

Not sure how I go about importing converting and importing these into my 
keystore using keytool.

The documenation is confusing to me as to what needs to be done.

https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html  the section on 
importing the certificate does nto go into how to convert or merge the 
certificate or the certificate chain and also does not say anyting about a 
private keyfile

Has anyone out there done this consistenly and successfully.

Thanks for the help

mark

Re: GoDaddy SSL certificate not working with Tomcat9

[Ralph Grove]

Follow-up to this thread: 

I found the problem, which was my own mistake. I failed to enter the correct 
domain name when creating the keystone. After going back through the entire 
process again, with the correct domain name, the server is up and running 
again. Thanks, nevertheless, for the help.

Ralph

> On Mar 21, 2023, at 6:38 AM, Ralph Grove  wrote:
> 
>>> I set up the server last year and installed the SSL certificate with no 
>>> problem. This year, after the original certificate expired, I downloaded 
>>> the new certificate provided by GoDaddy, removed the old certificate files 
>>> from the keystore, and installed the new ones. Now Tomcat is throwing a 
>>> "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to 
>>> open the HTTPS connector. I also tried rebuilding the keystore from scratch 
>>> and requesting a new certificate, but am getting the same exception with 
>>> that certificate.
>>> These are the commands I used to obtain and install the certificate:
>>> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>>> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore 
>>> keystore.jks
>>> (--request and obtain certificate files from GoDaddy--)
>> 
>> Did you run the commands below on the same keystore file you created in the 
>> first command above?
> 
> Yes - it was the same file. I went through the commands twice, just to be 
> sure.
>> 
>>> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file 
>>> gdcerts/gdroot-g2.crt
>>> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts 
>>> -file gdcerts/gd_bundle-g2-g1.crt
>>> sudo keytool -import -alias tomcat -keystore keystore.jks -file 
>>> gdcerts/.crt
>> 
>> What is the output of:
>> keytool -list -v -keystore keystore.jks
> 
> > sudo keytool -list -v -keystore keystore.jks...

Re: GoDaddy SSL certificate not working with Tomcat9

[Christopher Schultz]

Ralph,

On 3/21/23 06:38, Ralph Grove wrote:



> [snip]
>

Alias name: tomcat
Creation date: Mar 21, 2023
Entry type: trustedCertEntry


You created a keystore with no keys.

Where is the key you used to generate the CSR? That key needs to be in 
your keystore under the alias 'tomcat' alongside the cert.


If you have both cert and key, you'll get a single entry with a single 
alias and type "PrivateKeyEntry".


-chris


Owner: CN=personalitypad.org
Issuer: CN=Go Daddy Secure Certificate Authority - G2, 
OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, 
ST=Arizona, C=US
Serial number: afa46fd8c3404384
Valid from: Sat Mar 18 17:26:57 EDT 2023 until: Sun Feb 04 12:48:29 EST 2024
Certificate fingerprints:
 SHA1: 43:33:D4:48:91:12:E2:1C:F2:E9:1C:F1:84:94:D4:24:1C:8A:C9:B9
 SHA256: 
68:9C:D5:0E:73:A4:37:3C:56:38:BA:89:ED:9B:53:71:F4:B8:C6:9B:16:B6:F5:37:5E:5E:41:85:0B:66:B1:88
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
: 04 82 01 6C 01 6A 00 76   00 EE CD D0 64 D5 DB 1A  ...l.j.vd...
0010: CE C5 5C B7 9D B4 CD 13   A2 32 87 46 7C BC EC DE  ..\..2.F
0020: C3 51 48 59 46 71 1F B5   9B 00 00 01 86 F6 9E 5A  .QHYFq.Z
0030: 53 00 00 04 03 00 47 30   45 02 20 6E 2F 52 3D 81  S.G0E. n/R=.
0040: 1C 46 9A 90 BC A3 4E 2E   59 09 7A A9 10 42 04 82  .FN.Y.z..B..
0050: 73 A7 DD D1 DC 7A F8 6C   7B 51 E2 02 21 00 AC 50  sz.l.Q..!..P
0060: 33 31 C0 34 B5 6F D7 7C   C4 41 39 29 A4 25 07 46  31.4.o...A9).%.F
0070: B7 48 C6 3E DE 2C 2E 19   CD 3A 65 A9 C0 0A 00 77  .H.>.,...:ew
0080: 00 48 B0 E3 6B DA A6 47   34 0F E5 6A 02 FA 9D 30  .H..k..G4..j...0
0090: EB 1C 52 01 CB 56 DD 2C   81 D9 BB BF AB 39 D8 84  ..R..V.,.9..
00A0: 73 00 00 01 86 F6 9E 5B   34 00 00 04 03 00 48 30  s..[4.H0
00B0: 46 02 21 00 E7 46 1D A5   7C 83 89 09 EF 31 73 73  F.!..F...1ss
00C0: 52 4C 0A BA 5A 8E BD 6B   7A 92 B8 19 5A 07 70 76  RL..Z..kz...Z.pv
00D0: BC 88 50 8C 02 21 00 A8   98 CB C7 86 B2 88 15 0E  ..P..!..
00E0: 81 06 89 8E 2C 00 B5 93   46 A6 DF F9 E8 33 B0 C3  ,...F3..
00F0: 36 17 9C 16 35 A8 FD 00   77 00 DA B6 BF 6B 3F B5  6...5...wk?.
0100: B6 22 9F 9B C2 BB 5C 6B   E8 70 91 71 6C BB 51 84  ."\k.p.ql.Q.
0110: 85 34 BD A4 3D 30 48 D7   FB AB 00 00 01 86 F6 9E  .4..=0H.
0120: 5B E3 00 00 04 03 00 48   30 46 02 21 00 D1 45 86  [..H0F.!..E.
0130: 4E 62 EB 88 9A 4C 79 B9   39 8E 60 E3 8B 35 5A 95  Nb...Ly.9.`..5Z.
0140: 23 B2 22 E4 BC 70 A2 6E   29 61 83 66 CA 02 21 00  #."..p.n)a.f..!.
0150: E9 89 87 3B F6 26 67 B4   52 E7 E5 39 98 2A 0F 46  ...;.*.F
0160: 5C F6 E7 34 84 87 64 BC   03 9D 7E 6A C3 75 30 70  \..4..dj.u0p


#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   [
accessMethod: ocsp
accessLocation: URIName: http://ocsp.godaddy.com/
,
accessMethod: caIssuers
accessLocation: URIName: 
http://certificates.godaddy.com/repository/gdig2.crt
]
]

#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE.,..
]
]

#4: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
   CA:false
   PathLen: undefined
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
   [DistributionPoint:
  [URIName: http://crl.godaddy.com/gdig2s1-5359.crl]
]]

#6: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
   [CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]
[PolicyQualifierInfo: [
   qualifierID: 1.3.6.1.5.5.7.2.1
   qualifier: : 16 2B 68 74 74 70 3A 2F   2F 63 65 72 74 69 66 69  
.+http://certifi
0010: 63 61 74 65 73 2E 67 6F   64 61 64 64 79 2E 63 6F  cates.godaddy.co
0020: 6D 2F 72 65 70 6F 73 69   74 6F 72 79 2F   m/repository/

]]  ]
   [CertificatePolicyId: [2.23.140.1.2.1]
[]  ]
]

#7: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
   serverAuth
   clientAuth
]

#8: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
   DigitalSignature
   Key_Encipherment
]

#9: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
   DNSName: personalitypad.org
   DNSName: www.personalitypad.org
]

#10: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: A3 F9 3A E5 38 6D 62 89   75 E8 98 E1 08 75 72 8E  ..:.8mb.uur.
0010: FB 54 55 2C.TU,
]
]



***
***






And this is the Tomcat configuration for the connector:







The connector configuration looks OK.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: GoDaddy SSL certificate not working with Tomcat9

[Ralph Grove]

> On Mar 21, 2023, at 4:25 AM, Mark Thomas  wrote:
> 
> On 21/03/2023 01:09, Ralph Grove wrote:
>> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted 
>> server running Tomcat. Any suggestions for resolving it would be appreciated.
>> I set up the server last year and installed the SSL certificate with no 
>> problem. This year, after the original certificate expired, I downloaded the 
>> new certificate provided by GoDaddy, removed the old certificate files from 
>> the keystore, and installed the new ones. Now Tomcat is throwing a 
>> "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to 
>> open the HTTPS connector. I also tried rebuilding the keystore from scratch 
>> and requesting a new certificate, but am getting the same exception with 
>> that certificate.
>> These are the commands I used to obtain and install the certificate:
>> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore 
>> keystore.jks
>> (--request and obtain certificate files from GoDaddy--)
> 
> Did you run the commands below on the same keystore file you created in the 
> first command above?

Yes - it was the same file. I went through the commands twice, just to be sure.
> 
>> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file 
>> gdcerts/gdroot-g2.crt
>> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file 
>> gdcerts/gd_bundle-g2-g1.crt
>> sudo keytool -import -alias tomcat -keystore keystore.jks -file 
>> gdcerts/.crt
> 
> What is the output of:
> keytool -list -v -keystore keystore.jks

> sudo keytool -list -v -keystore keystore.jks
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: inter
Creation date: Mar 21, 2023
Entry type: trustedCertEntry

Owner: CN=Go Daddy Secure Certificate Authority - G2, 
OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, 
ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", 
L=Scottsdale, ST=Arizona, C=US
Serial number: 7
Valid from: Tue May 03 03:00:00 EDT 2011 until: Sat May 03 03:00:00 EDT 2031
Certificate fingerprints:
 SHA1: 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
 SHA256: 
97:3A:41:27:6F:FD:01:E0:27:A2:AA:D4:9E:34:C3:78:46:D3:E9:76:FF:6A:62:0B:67:12:E3:38:32:04:1A:A6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.godaddy.com/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
: 3A 9A 85 07 10 67 28 B6   EF F6 BD 05 41 6E 20 C1  :g(.An .
0010: 94 DA 0F DE
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
 [URIName: http://crl.godaddy.com/gdroot-g2.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: : 16 25 68 74 74 70 73 3A   2F 2F 63 65 72 74 73 2E  
.%https://certs.
0010: 67 6F 64 61 64 64 79 2E   63 6F 6D 2F 72 65 70 6F  godaddy.com/repo
0020: 73 69 74 6F 72 79 2F   sitory/

]]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: 40 C2 BD 27 8E CC 34 83   30 A2 33 D7 FB 6C B3 F0  @..'..4.0.3..l..
0010: B4 2C 80 CE.,..
]
]



***
***


Alias name: root
Creation date: Mar 21, 2023
Entry type: trustedCertEntry

Owner: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", 
L=Scottsdale, ST=Arizona, C=US
Issuer: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", 
L=Scottsdale, ST=Arizona, C=US
Serial number: 0
Valid from: Mon Aug 31 20:00:00 EDT 2009 until: Thu Dec 31 18:59:59 EST 2037
Certificate fingerprints:
 SHA1: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
 SHA256: 
45:14:0B:32:47:EB:9C:C8:C5:B4:F0:D7:B5:30:91:F7:32:92:08:9E:6E:5A:63:E2:74:9D:D3:AC:A9:19:8E:DA
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
 

Re: GoDaddy SSL certificate not working with Tomcat9

[Mark Thomas]

On 21/03/2023 01:09, Ralph Grove wrote:

I'm having a problem installing a new SSL certificate on a GoDaddy-hosted 
server running Tomcat. Any suggestions for resolving it would be appreciated.

I set up the server last year and installed the SSL certificate with no problem. This 
year, after the original certificate expired, I downloaded the new certificate provided 
by GoDaddy, removed the old certificate files from the keystore, and installed the new 
ones. Now Tomcat is throwing a "java.io.IOException: jsse.alias_no_key_entry" 
exception when it tries to open the HTTPS connector. I also tried rebuilding the keystore 
from scratch and requesting a new certificate, but am getting the same exception with 
that certificate.

These are the commands I used to obtain and install the certificate:

sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore 
keystore.jks

(--request and obtain certificate files from GoDaddy--)


Did you run the commands below on the same keystore file you created in 
the first command above?



sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file 
gdcerts/gdroot-g2.crt

sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file 
gdcerts/gd_bundle-g2-g1.crt

sudo keytool -import -alias tomcat -keystore keystore.jks -file 
gdcerts/.crt


What is the output of:
keytool -list -v -keystore keystore.jks


And this is the Tomcat configuration for the connector:












The connector configuration looks OK.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: GoDaddy SSL certificate not working with Tomcat9

[Robert Turner]

Pressed send too quickly -- I see different aliases there. Ignore my
previous comments

Using PEM files is much simpler to manage, I would go that route instead...
will make it easier. However, I can't offer any real advice on the specific
issue at this time...

Others will certainly be more helpful than I...sorry.

On Mon, Mar 20, 2023 at 9:14 PM Robert Turner  wrote:

> I believe the default certificate alias used by Tomcat is "tomcat". I
> think you are creating your keystore with the alias "root".
>
> (see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html for docs on
> Tomcat SSL configuration -- adjust for the version you are running)
>
> On Mon, Mar 20, 2023 at 9:09 PM Ralph Grove 
> wrote:
>
>> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted
>> server running Tomcat. Any suggestions for resolving it would be
>> appreciated.
>>
>> I set up the server last year and installed the SSL certificate with no
>> problem. This year, after the original certificate expired, I downloaded
>> the new certificate provided by GoDaddy, removed the old certificate files
>> from the keystore, and installed the new ones. Now Tomcat is throwing a
>> "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to
>> open the HTTPS connector. I also tried rebuilding the keystore from scratch
>> and requesting a new certificate, but am getting the same exception with
>> that certificate.
>>
>> These are the commands I used to obtain and install the certificate:
>>
>> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>>
>> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
>> -keystore keystore.jks
>>
>> (--request and obtain certificate files from GoDaddy--)
>>
>> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts
>> -file gdcerts/gdroot-g2.crt
>>
>> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts
>> -file gdcerts/gd_bundle-g2-g1.crt
>>
>> sudo keytool -import -alias tomcat -keystore keystore.jks -file
>> gdcerts/.crt
>>
>>
>>
>> And this is the Tomcat configuration for the connector:
>>
>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>
>>   maxThreads="150" SSLEnabled="true">
>>
>>
>>
>>>
>>  type="RSA" certificateKeystorePassword="xx" />
>>
>>
>>
>>
>>
>>
>
>

Re: GoDaddy SSL certificate not working with Tomcat9

[Robert Turner]

I believe the default certificate alias used by Tomcat is "tomcat". I think
you are creating your keystore with the alias "root".

(see https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html for docs on
Tomcat SSL configuration -- adjust for the version you are running)

On Mon, Mar 20, 2023 at 9:09 PM Ralph Grove 
wrote:

> I'm having a problem installing a new SSL certificate on a GoDaddy-hosted
> server running Tomcat. Any suggestions for resolving it would be
> appreciated.
>
> I set up the server last year and installed the SSL certificate with no
> problem. This year, after the original certificate expired, I downloaded
> the new certificate provided by GoDaddy, removed the old certificate files
> from the keystore, and installed the new ones. Now Tomcat is throwing a
> "java.io.IOException: jsse.alias_no_key_entry" exception when it tries to
> open the HTTPS connector. I also tried rebuilding the keystore from scratch
> and requesting a new certificate, but am getting the same exception with
> that certificate.
>
> These are the commands I used to obtain and install the certificate:
>
> sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
>
> sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr
> -keystore keystore.jks
>
> (--request and obtain certificate files from GoDaddy--)
>
> sudo keytool -import -alias root -keystore keystore.jks -trustcacerts
> -file gdcerts/gdroot-g2.crt
>
> sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts
> -file gdcerts/gd_bundle-g2-g1.crt
>
> sudo keytool -import -alias tomcat -keystore keystore.jks -file
> gdcerts/.crt
>
>
>
> And this is the Tomcat configuration for the connector:
>
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>
>   maxThreads="150" SSLEnabled="true">
>
>
>
>
>  type="RSA" certificateKeystorePassword="xx" />
>
>
>
>
>
>

GoDaddy SSL certificate not working with Tomcat9

[Ralph Grove]

I'm having a problem installing a new SSL certificate on a GoDaddy-hosted 
server running Tomcat. Any suggestions for resolving it would be appreciated.

I set up the server last year and installed the SSL certificate with no 
problem. This year, after the original certificate expired, I downloaded the 
new certificate provided by GoDaddy, removed the old certificate files from the 
keystore, and installed the new ones. Now Tomcat is throwing a 
"java.io.IOException: jsse.alias_no_key_entry" exception when it tries to open 
the HTTPS connector. I also tried rebuilding the keystore from scratch and 
requesting a new certificate, but am getting the same exception with that 
certificate. 

These are the commands I used to obtain and install the certificate:

sudo keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks

sudo keytool -certreq -keyalg RSA -alias tomcat -file certreq.csr -keystore 
keystore.jks

(--request and obtain certificate files from GoDaddy--)

sudo keytool -import -alias root -keystore keystore.jks -trustcacerts -file 
gdcerts/gdroot-g2.crt

sudo keytool -import -alias inter -keystore keystore.jks -trustcacerts -file 
gdcerts/gd_bundle-g2-g1.crt

sudo keytool -import -alias tomcat -keystore keystore.jks -file 
gdcerts/.crt

 

And this is the Tomcat configuration for the connector:

   

   

   

   

   

 

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 16/02/2023 16:44, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark!

Thanks so much. Please provide the sample code. :-)


https://people.apache.org/~markt/dev/custom-certificate-debug-logs.txt

Enjoy.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark!

Thanks so much. Please provide the sample code. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, February 16, 2023 8:09 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 15/02/2023 23:03, Mark Thomas wrote:
> > On 15/02/2023 22:56, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> They also had this question.
> >>
> >> There seems to be no need to print both TEXT and HEX representations,
> >> like below (just HEX string should be fine):
> >> KeyIdentifier [
> >> : CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57
> >> .5..b.e..F.W
> >> 0010: 43 46 E8 FD    CF..
> >> ]
> >
> > That is just the way the toString() is written. Short of rewriting the
> > toString() method (which I am trying to avoid) I don't see a way to
> > address that.
> 
> I ended up with the following:
> 
> SHA-1 and SHA-256 fingerprints included before the main certificate info and
> X509Certificate.toString() used to provide the certificate info.
> 
> I looked at rewriting the toString() but it would require a lot of effort (and
> volume of code).
> 
> Given that different folks may want slightly different output, I opted to make
> it easier for folks to write and use custom endpoints. If you want to
> customise the output it is relatively simple to do. You need:
> - a custom endpoint
>- extends existing endpoint
>- override logCertificate() and/or generateCertificateDebug()
> - a custom protocol
>- extends matching protocol for endpoint
>- no-arg constructor needs to call super constructor with custom
>  endpoint
> 
> and you shouldn't need to recompile to move between Tomcat point
> releases.
> 
> I can provide sample code if anyone wants to try this themselves and isn't
> sure where to start.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 15/02/2023 23:03, Mark Thomas wrote:

On 15/02/2023 22:56, jonmcalexan...@wellsfargo.com.INVALID wrote:

They also had this question.

There seems to be no need to print both TEXT and HEX representations, 
like below (just HEX string should be fine):

KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FD    CF..
]


That is just the way the toString() is written. Short of rewriting the 
toString() method (which I am trying to avoid) I don't see a way to 
address that.


I ended up with the following:

SHA-1 and SHA-256 fingerprints included before the main certificate info
and X509Certificate.toString() used to provide the certificate info.

I looked at rewriting the toString() but it would require a lot of 
effort (and volume of code).


Given that different folks may want slightly different output, I opted 
to make it easier for folks to write and use custom endpoints. If you 
want to customise the output it is relatively simple to do. You need:

- a custom endpoint
  - extends existing endpoint
  - override logCertificate() and/or generateCertificateDebug()
- a custom protocol
  - extends matching protocol for endpoint
  - no-arg constructor needs to call super constructor with custom
endpoint

and you shouldn't need to recompile to move between Tomcat point releases.

I can provide sample code if anyone wants to try this themselves and 
isn't sure where to start.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 15/02/2023 22:56, jonmcalexan...@wellsfargo.com.INVALID wrote:

They also had this question.

There seems to be no need to print both TEXT and HEX representations, like 
below (just HEX string should be fine):
KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FDCF..
]


That is just the way the toString() is written. Short of rewriting the 
toString() method (which I am trying to avoid) I don't see a way to 
address that.


Mark




Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 15, 2023 4:48 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

I got a big thumbs up from our team here. They did have 2 questions and of

course you can just tell us to go pound sand.


1. Can this be printed in JSON format, for easier parsing?  (or even
make it a config parameter – PLAIN / JSON / XML)


Not without (a lot?) more work. Currently the code just does cert.toString().


2. Is it possible to calculate and print the 2 default types of fingerprints 
that

modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?

I should be able to do something for those. My preference would be to
provide the SHA256 fingerprint.

Mark



As always THANK YOU!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 15, 2023 2:17 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:

Once again, Awesome Possum! You guys are the greatest!


How about this? (uses the simple toString() approach)



https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert

-
log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
fWzFlGBMzOf44iZI7_A$

Enabled with:

org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL

in logging.properties

(I tried pasting in-line but the line breaks in email mess up the
formatting)

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Clarification:

was:
KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FDCF..
]

should be:
CD35CBAD629165C4C546C8C30AC7D3574346E8FD

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: jonmcalexan...@wellsfargo.com.INVALID
> 
> Sent: Wednesday, February 15, 2023 4:57 PM
> To: users@tomcat.apache.org
> Subject: RE: Basic SSL Certificate Usage logging
> 
> They also had this question.
> 
> There seems to be no need to print both TEXT and HEX representations, like
> below (just HEX string should be fine):
> KeyIdentifier [
> : CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
> 0010: 43 46 E8 FDCF..
> ]
> 
> Dream * Excel * Explore * Inspire
> Jon McAlexander
> Senior Infrastructure Engineer
> Asst. Vice President
> He/His
> 
> Middleware Product Engineering
> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> 
> 8080 Cobblestone Rd | Urbandale, IA 50322
> MAC: F4469-010
> Tel 515-988-2508 | Cell 515-988-2508
> 
> jonmcalexan...@wellsfargo.com
> This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> 
> 
> > -Original Message-
> > From: Mark Thomas 
> > Sent: Wednesday, February 15, 2023 4:48 PM
> > To: users@tomcat.apache.org
> > Subject: Re: Basic SSL Certificate Usage logging
> >
> > On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > > Hi Mark,
> > >
> > > I got a big thumbs up from our team here. They did have 2 questions
> > > and of
> > course you can just tell us to go pound sand.
> > >
> > > 1. Can this be printed in JSON format, for easier parsing?  (or even
> > > make it a config parameter – PLAIN / JSON / XML)
> >
> > Not without (a lot?) more work. Currently the code just does
> cert.toString().
> >
> > > 2. Is it possible to calculate and print the 2 default types of
> > > fingerprints that
> > modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
> >
> > I should be able to do something for those. My preference would be to
> > provide the SHA256 fingerprint.
> >
> > Mark
> >
> > >
> > > As always THANK YOU!!!
> > >
> > > Dream * Excel * Explore * Inspire
> > > Jon McAlexander
> > > Senior Infrastructure Engineer
> > > Asst. Vice President
> > > He/His
> > >
> > > Middleware Product Engineering
> > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> > >
> > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > MAC: F4469-010
> > > Tel 515-988-2508 | Cell 515-988-2508
> > >
> > > jonmcalexan...@wellsfargo.com
> > > This message may contain confidential and/or privileged information.
> > > If you
> > are not the addressee or authorized to receive this for the addressee,
> > you must not use, copy, disclose, or take any action based on this
> > message or any information herein. If you have received this message
> > in error, please advise the sender immediately by reply e-mail and
> > delete this message. Thank you for your cooperation.
> > >
> > >
> > >> -Original Message-
> > >> From: Mark Thomas 
> > >> Sent: Wednesday, February 15, 2023 2:17 PM
> > >> To: users@tomcat.apache.org
> > >> Subject: Re: Basic SSL Certificate Usage logging
> > >>
> > >> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

They also had this question.

There seems to be no need to print both TEXT and HEX representations, like 
below (just HEX string should be fine):
KeyIdentifier [
: CD 35 CB AD 62 91 65 C4   C5 46 C8 C3 0A C7 D3 57  .5..b.e..F.W
0010: 43 46 E8 FDCF..
]

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 15, 2023 4:48 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > I got a big thumbs up from our team here. They did have 2 questions and of
> course you can just tell us to go pound sand.
> >
> > 1. Can this be printed in JSON format, for easier parsing?  (or even
> > make it a config parameter – PLAIN / JSON / XML)
> 
> Not without (a lot?) more work. Currently the code just does cert.toString().
> 
> > 2. Is it possible to calculate and print the 2 default types of 
> > fingerprints that
> modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?
> 
> I should be able to do something for those. My preference would be to
> provide the SHA256 fingerprint.
> 
> Mark
> 
> >
> > As always THANK YOU!!!
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Wednesday, February 15, 2023 2:17 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Once again, Awesome Possum! You guys are the greatest!
> >>
> >> How about this? (uses the simple toString() approach)
> >>
> >>
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert
> >> -
> >> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> >> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> >> fWzFlGBMzOf44iZI7_A$
> >>
> >> Enabled with:
> >>
> >> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> >>
> >> in logging.properties
> >>
> >> (I tried pasting in-line but the line breaks in email mess up the
> >> formatting)
> >>
> >> Mark
> >>
> >> -
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 15/02/2023 22:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

I got a big thumbs up from our team here. They did have 2 questions and of 
course you can just tell us to go pound sand.

1. Can this be printed in JSON format, for easier parsing?  (or even make it a 
config parameter – PLAIN / JSON / XML)


Not without (a lot?) more work. Currently the code just does 
cert.toString().



2. Is it possible to calculate and print the 2 default types of fingerprints 
that modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?


I should be able to do something for those. My preference would be to 
provide the SHA256 fingerprint.


Mark



As always THANK YOU!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 15, 2023 2:17 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:

Once again, Awesome Possum! You guys are the greatest!


How about this? (uses the simple toString() approach)

https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
fWzFlGBMzOf44iZI7_A$

Enabled with:

org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL

in logging.properties

(I tried pasting in-line but the line breaks in email mess up the
formatting)

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

I got a big thumbs up from our team here. They did have 2 questions and of 
course you can just tell us to go pound sand.

1. Can this be printed in JSON format, for easier parsing?  (or even make it a 
config parameter – PLAIN / JSON / XML)
2. Is it possible to calculate and print the 2 default types of fingerprints 
that modern browsers are showing (FingerprintSHA1, FingerprintSHA256)?

As always THANK YOU!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 15, 2023 2:17 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Once again, Awesome Possum! You guys are the greatest!
> 
> How about this? (uses the simple toString() approach)
> 
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> fWzFlGBMzOf44iZI7_A$
> 
> Enabled with:
> 
> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> 
> in logging.properties
> 
> (I tried pasting in-line but the line breaks in email mess up the
> formatting)
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Thanks Mark. I'm checking with the requestor on my end.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 15, 2023 2:17 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Once again, Awesome Possum! You guys are the greatest!
> 
> How about this? (uses the simple toString() approach)
> 
> https://urldefense.com/v3/__https://people.apache.org/*markt/dev/cert-
> log-example.txt__;fg!!F9svGWnIaVPGSwU!uvbdRvGWKQQygFGij7jlX-
> q_mdwzXNByljOdBPrOr5VF-mFiUrnmqaOMqACrbIcgMh-
> fWzFlGBMzOf44iZI7_A$
> 
> Enabled with:
> 
> org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL
> 
> in logging.properties
> 
> (I tried pasting in-line but the line breaks in email mess up the
> formatting)
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 10/02/2023 15:42, jonmcalexan...@wellsfargo.com.INVALID wrote:

Once again, Awesome Possum! You guys are the greatest!


How about this? (uses the simple toString() approach)

https://people.apache.org/~markt/dev/cert-log-example.txt

Enabled with:

org.apache.tomcat.util.net.NioEndpoint.certificate.level = ALL

in logging.properties

(I tried pasting in-line but the line breaks in email mess up the 
formatting)


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Once again, Awesome Possum! You guys are the greatest!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Friday, February 10, 2023 4:31 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 09/02/2023 19:49, Christopher Schultz wrote:
> > Jon,
> >
> > On 2/9/23 11:39, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> My thinking is that the teams requesting that I look into if this is
> >> possible or not would prefer to be able to get the more detailed
> >> information if possible. How much extra work is required to have a
> >> dedicated logger for it, as well as keeping the current message in
> >> the current logging?
> > It shouldn't be that much work, but it is a lot of output.
> 
> +1
> 
> > Mark, isn't this already a dedicated logger?
> >
> > org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> 
> Unfortunately not. That is the method name.
> 
> > +1 to using the log-level as the arbiter for, well, how much logging
> > +to
> > do. :)
> 
> :)
> 
> I'll try and get this done in time for the next release round.
> 
> Mark
> 
> >
> > -chris
> >
> >>> -Original Message-
> >>> From: Mark Thomas 
> >>> Sent: Thursday, February 9, 2023 3:24 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Hi Jon,
> >>>
> >>> The current message looks like this:
> >>>
> >>> 09-Feb-2023 09:09:53.939 INFO [main]
> >>> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector
> >>> [https-
> >>> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA]
> >>> configured from [conf/localhost-rsa.jks] using alias [tomcat] and
> >>> with trust store [null]
> >>>
> >>> The intention is to make clear, for each configured server
> >>> certificate, which configuration files are being used. The idea
> >>> being that you can then examine the relevant files if there is an
> >>> issue.
> >>>
> >>> There is a balance to strike in terms of providing useful detail and
> >>> providing too much detail in the default logs. Everything below
> >>> feels like too much detail.
> >>>
> >>> One option would be to switch this message to a dedicated logger and
> >>> then provide more/all details if debug logging is enabled. Moving
> >>> this to a dedicated logger would allow debug logging to be enabled
> >>> for that logger without changing the logging for the entire
> >>> endpoint.
> >>>
> >>> Mark
> >>>
> >>>
> >>> On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Hi Mark,
> >>>>
> >>>> As a follow-up, some of my compatriots are asking if we can get all
> >>>> or some
> >>> of these details in the log as well? Wanted to ask early if possible.
> >>>>
> >>>> •    Subject
> >>>> o    Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
> >>> Fargo,C=US
> >>>> o    Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
> o    Ex:
> >>>> CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
> >>> Fargo,C=US
> >>>> •    SAN (aka Subject Alternative Names) o    Ex:
> >>>> DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
> >>>> o    Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
> >>>> o    Ex:
> >>>
> EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
> >>>> •    Issuer
> >>>> o    Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
> >>> G2,OU=Wells Fargo 

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 09/02/2023 19:49, Christopher Schultz wrote:

Jon,

On 2/9/23 11:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

My thinking is that the teams requesting that I look into if this is
possible or not would prefer to be able to get the more detailed
information if possible. How much extra work is required to have a
dedicated logger for it, as well as keeping the current message in
the current logging?

It shouldn't be that much work, but it is a lot of output.


+1


Mark, isn't this already a dedicated logger?

org.apache.tomcat.util.net.AbstractEndpoint.logCertificate


Unfortunately not. That is the method name.

+1 to using the log-level as the arbiter for, well, how much logging to 
do. :)


:)

I'll try and get this done in time for the next release round.

Mark



-chris


-Original Message-
From: Mark Thomas 
Sent: Thursday, February 9, 2023 3:24 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Hi Jon,

The current message looks like this:

09-Feb-2023 09:09:53.939 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector 
[https-
jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] 
configured
from [conf/localhost-rsa.jks] using alias [tomcat] and with trust 
store [null]


The intention is to make clear, for each configured server 
certificate, which
configuration files are being used. The idea being that you can then 
examine

the relevant files if there is an issue.

There is a balance to strike in terms of providing useful detail and 
providing
too much detail in the default logs. Everything below feels like too 
much

detail.

One option would be to switch this message to a dedicated logger and 
then

provide more/all details if debug logging is enabled. Moving this to a
dedicated logger would allow debug logging to be enabled for that logger
without changing the logging for the entire endpoint.

Mark


On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all 
or some

of these details in the log as well? Wanted to ask early if possible.


•    Subject
o    Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells

Fargo,C=US

o    Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o    Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells

Fargo,C=US

•    SAN (aka Subject Alternative Names)
o    Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o    Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o    Ex:

EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com

•    Issuer
o    Ex: CN=Wells Fargo Enterprise Certification Authority 05-2

G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US

•    ValidFrom (aka NotBefore)
o    Ex: 2022-05-18T05:09:27Z
•    ValidTo (aka NotAfter)
o    Ex: 2024-05-17T05:09:27Z
•    KeyUsage
o    Ex: Digital Signature, Key Encipherment, Data Encipherment
•    KeyUsageExtended
o    Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server 
Authentication

(1.3.6.1.5.5.7.3.1)

•    SerialNumber
o    Ex: 6a0006e41935f80460711c1876e419
•    FingerprintSHA1 (aka Thumbprint)
o    Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•    FingerprintSHA256
o    Ex:

DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
E41

•    PublicKeyAlgo
o    Ex: RSA
o    Ex: ECDSA
•    PublicKeySize
o    Ex: 2048
o    Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. 
If you
are not the addressee or authorized to receive this for the 
addressee, you
must not use, copy, disclose, or take any action based on this 
message or any
information herein. If you have received this message in error, 
please advise
the sender immediately by reply e-mail and delete this message. Thank 
you

for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 8, 2023 10:37 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested
my

thought of setting the java logging.properties to a specific file in
the command line but it didn't do what I had hoped.

Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 2/9/23 11:39, jonmcalexan...@wellsfargo.com.INVALID wrote:

My thinking is that the teams requesting that I look into if this is
possible or not would prefer to be able to get the more detailed
information if possible. How much extra work is required to have a
dedicated logger for it, as well as keeping the current message in
the current logging?

It shouldn't be that much work, but it is a lot of output.

Mark, isn't this already a dedicated logger?

org.apache.tomcat.util.net.AbstractEndpoint.logCertificate

+1 to using the log-level as the arbiter for, well, how much logging to 
do. :)


-chris


-Original Message-
From: Mark Thomas 
Sent: Thursday, February 9, 2023 3:24 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Hi Jon,

The current message looks like this:

09-Feb-2023 09:09:53.939 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-
jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] configured
from [conf/localhost-rsa.jks] using alias [tomcat] and with trust store [null]

The intention is to make clear, for each configured server certificate, which
configuration files are being used. The idea being that you can then examine
the relevant files if there is an issue.

There is a balance to strike in terms of providing useful detail and providing
too much detail in the default logs. Everything below feels like too much
detail.

One option would be to switch this message to a dedicated logger and then
provide more/all details if debug logging is enabled. Moving this to a
dedicated logger would allow debug logging to be enabled for that logger
without changing the logging for the entire endpoint.

Mark


On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all or some

of these details in the log as well? Wanted to ask early if possible.


•   Subject
o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells

Fargo,C=US

o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells

Fargo,C=US

•   SAN (aka Subject Alternative Names)
o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o   Ex:

EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com

•   Issuer
o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2

G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US

•   ValidFrom (aka NotBefore)
o   Ex: 2022-05-18T05:09:27Z
•   ValidTo (aka NotAfter)
o   Ex: 2024-05-17T05:09:27Z
•   KeyUsage
o   Ex: Digital Signature, Key Encipherment, Data Encipherment
•   KeyUsageExtended
o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication

(1.3.6.1.5.5.7.3.1)

•   SerialNumber
o   Ex: 6a0006e41935f80460711c1876e419
•   FingerprintSHA1 (aka Thumbprint)
o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•   FingerprintSHA256
o   Ex:

DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
E41

•   PublicKeyAlgo
o   Ex: RSA
o   Ex: ECDSA
•   PublicKeySize
o   Ex: 2048
o   Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 8, 2023 10:37 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested
my

thought of setting the java logging.properties to a specific file in
the command line but it didn't do what I had hoped.

Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

My thinking is that the teams requesting that I look into if this is possible 
or not would prefer to be able to get the more detailed information if 
possible. How much extra work is required to have a dedicated logger for it, as 
well as keeping the current message in the current logging?

Thanks again for everything!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Mark Thomas 
> Sent: Thursday, February 9, 2023 3:24 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Hi Jon,
> 
> The current message looks like this:
> 
> 09-Feb-2023 09:09:53.939 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-
> jsse-nio-8443], TLS virtual host [_default_], certificate type [RSA] 
> configured
> from [conf/localhost-rsa.jks] using alias [tomcat] and with trust store [null]
> 
> The intention is to make clear, for each configured server certificate, which
> configuration files are being used. The idea being that you can then examine
> the relevant files if there is an issue.
> 
> There is a balance to strike in terms of providing useful detail and providing
> too much detail in the default logs. Everything below feels like too much
> detail.
> 
> One option would be to switch this message to a dedicated logger and then
> provide more/all details if debug logging is enabled. Moving this to a
> dedicated logger would allow debug logging to be enabled for that logger
> without changing the logging for the entire endpoint.
> 
> Mark
> 
> 
> On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > As a follow-up, some of my compatriots are asking if we can get all or some
> of these details in the log as well? Wanted to ask early if possible.
> >
> > •   Subject
> > o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells
> Fargo,C=US
> > o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
> > o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells
> Fargo,C=US
> > •   SAN (aka Subject Alternative Names)
> > o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
> > o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
> > o   Ex:
> EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
> > •   Issuer
> > o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2
> G2,OU=Wells Fargo Certification Authorities,O=Wells Fargo,C=US
> > •   ValidFrom (aka NotBefore)
> > o   Ex: 2022-05-18T05:09:27Z
> > •   ValidTo (aka NotAfter)
> > o   Ex: 2024-05-17T05:09:27Z
> > •   KeyUsage
> > o   Ex: Digital Signature, Key Encipherment, Data Encipherment
> > •   KeyUsageExtended
> > o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication
> (1.3.6.1.5.5.7.3.1)
> > •   SerialNumber
> > o   Ex: 6a0006e41935f80460711c1876e419
> > •   FingerprintSHA1 (aka Thumbprint)
> > o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
> > •   FingerprintSHA256
> > o   Ex:
> DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4
> E41
> > •   PublicKeyAlgo
> > o   Ex: RSA
> > o   Ex: ECDSA
> > •   PublicKeySize
> > o   Ex: 2048
> > o   Ex: P-256
> >
> > Thank you,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in 

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

Hi Jon,

The current message looks like this:

09-Feb-2023 09:09:53.939 INFO [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector 
[https-jsse-nio-8443], TLS virtual host [_default_], certificate type 
[RSA] configured from [conf/localhost-rsa.jks] using alias [tomcat] and 
with trust store [null]


The intention is to make clear, for each configured server certificate, 
which configuration files are being used. The idea being that you can 
then examine the relevant files if there is an issue.


There is a balance to strike in terms of providing useful detail and 
providing too much detail in the default logs. Everything below feels 
like too much detail.


One option would be to switch this message to a dedicated logger and 
then provide more/all details if debug logging is enabled. Moving this 
to a dedicated logger would allow debug logging to be enabled for that 
logger without changing the logging for the entire endpoint.


Mark


On 08/02/2023 18:36, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all or some of 
these details in the log as well? Wanted to ask early if possible.

•   Subject
o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells Fargo,C=US
o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells Fargo,C=US
•   SAN (aka Subject Alternative Names)
o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o   Ex: EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
•   Issuer
o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 G2,OU=Wells 
Fargo Certification Authorities,O=Wells Fargo,C=US
•   ValidFrom (aka NotBefore)
o   Ex: 2022-05-18T05:09:27Z
•   ValidTo (aka NotAfter)
o   Ex: 2024-05-17T05:09:27Z
•   KeyUsage
o   Ex: Digital Signature, Key Encipherment, Data Encipherment
•   KeyUsageExtended
o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication 
(1.3.6.1.5.5.7.3.1)
•   SerialNumber
o   Ex: 6a0006e41935f80460711c1876e419
•   FingerprintSHA1 (aka Thumbprint)
o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•   FingerprintSHA256
o   Ex: DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4E41
•   PublicKeyAlgo
o   Ex: RSA
o   Ex: ECDSA
•   PublicKeySize
o   Ex: 2048
o   Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Wednesday, February 8, 2023 10:37 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested my

thought of setting the java logging.properties to a specific file in the
command line but it didn't do what I had hoped.

Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.




-Original Message-
From: Mark Thomas 
Sent: Tuesday, January 10, 2023 8:23 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance
I would like to capture the Certificate Info and Truststore being
used and pipe that into a separate log/txt

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

As a follow-up, some of my compatriots are asking if we can get all or some of 
these details in the log as well? Wanted to ask early if possible.

•   Subject 
o   Ex: CN=splunk.glb.wellsfargo.net,OU=TMS-ADCS,O=Wells Fargo,C=US
o   Ex: CN=9COM,OU=APP,OU=9COM,OU=ECS,O=Wells Fargo,C=US
o   Ex: CN=WFA-9CUS-PROD.wellsfargo.com,OU=9CUS,O=Wells Fargo,C=US
•   SAN (aka Subject Alternative Names)
o   Ex: DNS=splunk.wellsfargo.net;DNS=splunk.wellsfargo.com
o   Ex: IP=170.43.135.39;DNS=nc-sils-dpb-znp10.wellsfargo.com;
o   Ex: EMAIL:some.n...@wellsfargo.com;EMAIL:some.name@wellsfargo.com
•   Issuer
o   Ex: CN=Wells Fargo Enterprise Certification Authority 05-2 G2,OU=Wells 
Fargo Certification Authorities,O=Wells Fargo,C=US
•   ValidFrom (aka NotBefore)
o   Ex: 2022-05-18T05:09:27Z
•   ValidTo (aka NotAfter)
o   Ex: 2024-05-17T05:09:27Z
•   KeyUsage
o   Ex: Digital Signature, Key Encipherment, Data Encipherment
•   KeyUsageExtended
o   Ex: Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication 
(1.3.6.1.5.5.7.3.1)
•   SerialNumber
o   Ex: 6a0006e41935f80460711c1876e419
•   FingerprintSHA1 (aka Thumbprint)
o   Ex: 679323d7dcc9307d8696a88e0f1a8d4069a412b6
•   FingerprintSHA256
o   Ex: DC5044B2E6A173CB2B05CEE54AA5B185DD6D4A341DC36B3CCB0DC99782DD4E41
 
•   PublicKeyAlgo
o   Ex: RSA
o   Ex: ECDSA
•   PublicKeySize
o   Ex: 2048
o   Ex: P-256

Thank you,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >&g

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

And thank you!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexan...@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any action
> 

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Awesome Possum Boss!!!

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Wednesday, February 8, 2023 10:37 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Hi Mark,
> >
> > So, is this something that can/will be added in the future? I tested my
> thought of setting the java logging.properties to a specific file in the
> command line but it didn't do what I had hoped.
> 
> Already added. Will be in the next round of releases.
> 
> Mark
> 
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >
> >> -Original Message-
> >> From: Mark Thomas 
> >> Sent: Tuesday, January 10, 2023 8:23 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> On 10/01/2023 13:52, Christopher Schultz wrote:
> >>> Jon,
> >>>
> >>> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Yes Chris, It's just for during startup. For a particular instance
> >>>> I would like to capture the Certificate Info and Truststore being
> >>>> used and pipe that into a separate log/txt file.
> >>> So it sounds like just dumping-out the configured certificates, etc.
> >>> to something like the debug log from Connector or SSLHostConfig or
> >>> similar would work?
> >>>
> >>> Or would you want that information available to the application so
> >>> you can log it in some very specific way? Note that you can already
> >>> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> How about something like this:
> >>
> >> 10-Jan-2023 14:21:07.951 INFO [main]
> >> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> >> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type
> >> [RSA] configured from [conf/localhost-rsa.jks] using alias [null] and
> >> with trust store [null]
> >>
> >> ?
> >>
> >> Mark
> >>
> >>>
> >>> -chris
> >>>
> >>>>
> >>>> Thanks,
> >>>>
> >>>> Dream * Excel * Explore * Inspire
> >>>> Jon McAlexander
> >>>> Senior Infrastructure Engineer
> >>>> Asst. Vice President
> >>>> He/His
> >>>>
> >>>> Middleware Product Engineering
> >>>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>>
> >>>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>>> MAC: F4469-010
> >>>> Tel 515-988-2508 | Cell 515-988-2508
> >>>>
> >>>> jonmcalexan...@wellsfargo.com
> >>>> This message may contain confidential and/or privileged information.
> >>>> If you are not the addressee or authorized to receive this for the
> >>>> addressee, you must not use, copy, disclose, or take any ac

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 08/02/2023 16:24, jonmcalexan...@wellsfargo.com.INVALID wrote:

Hi Mark,

So, is this something that can/will be added in the future? I tested my thought 
of setting the java logging.properties to a specific file in the command line 
but it didn't do what I had hoped.


Already added. Will be in the next round of releases.

Mark




Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.



-Original Message-
From: Mark Thomas 
Sent: Tuesday, January 10, 2023 8:23 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.

So it sounds like just dumping-out the configured certificates, etc.
to something like the debug log from Connector or SSLHostConfig or
similar would work?

Or would you want that information available to the application so you
can log it in some very specific way? Note that you can already get
the SSLHostConfig info via JMX if you are willing to do that.


How about something like this:

10-Jan-2023 14:21:07.951 INFO [main]
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
configured from [conf/localhost-rsa.jks] using alias [null] and with trust store
[null]

?

Mark



-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient.
I'm thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know
how to specify where to log the information.

java.security.debug is really a blunt instrument. It's unfortunate
that it's one of the only ways to get information out of the TLS
stack. It would have been great if Java had started using its own
logging system once it was introduced, but no.

That debugging tool always dumps to stdout (or stderr?) and you have
very little control over where it goes.

You would never want to use it for ongoing logging. It truly is for
debugging-
only.

The good news is that application code should be able to get the
information you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?

What do you mean "during startup"? I originally read that as "for
incoming connections" thinking that you wanted to log which cert was
used for a particular request. But it sounds like maybe you are
asking for something to just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you

are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or t

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

So, is this something that can/will be added in the future? I tested my thought 
of setting the java logging.properties to a specific file in the command line 
but it didn't do what I had hoped.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, January 10, 2023 8:23 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/01/2023 13:52, Christopher Schultz wrote:
> > Jon,
> >
> > On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Yes Chris, It's just for during startup. For a particular instance I
> >> would like to capture the Certificate Info and Truststore being used
> >> and pipe that into a separate log/txt file.
> > So it sounds like just dumping-out the configured certificates, etc.
> > to something like the debug log from Connector or SSLHostConfig or
> > similar would work?
> >
> > Or would you want that information available to the application so you
> > can log it in some very specific way? Note that you can already get
> > the SSLHostConfig info via JMX if you are willing to do that.
> 
> How about something like this:
> 
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
> configured from [conf/localhost-rsa.jks] using alias [null] and with trust 
> store
> [null]
> 
> ?
> 
> Mark
> 
> >
> > -chris
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >> jonmcalexan...@wellsfargo.com
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>> -Original Message-
> >>> From: Christopher Schultz 
> >>> Sent: Monday, January 9, 2023 8:10 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Jon,
> >>>
> >>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Thanks for the info.
> >>>>
> >>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>> I'm thinking that I can add this to the java options as
> >>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>> how to specify where to log the information.
> >>> java.security.debug is really a blunt instrument. It's unfortunate
> >>> that it's one of the only ways to get information out of the TLS
> >>> stack. It would have been great if Java had started using its own
> >>> logging system once it was introduced, but no.
> >>>
> >>> That debugging tool always dumps to stdout (or stderr?) and you have
> >>> very little control over where it goes.
> >>>
> >>> You would never want to use it for ongoing logging. It truly is for
> >>> debugging-
> >>> only.
> >>>
> >>> The good news is that application code should be able to get the
> >>> information you ar

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

:-) Christopher,

This is where my not being a developer really shines out. :-)

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, January 10, 2023 4:27 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Jon,
> 
> On 1/10/23 13:37, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Ultimately it would be nice to be able to log it in Jason format for
> > ingestion by Elastic or something similar.
> If you want JSON-formatted logs, then configure JSON-formatted logs.
> JSON embedded in JSON is a little silly:
> 
> {
>"timestamp":"2023-01-10T22:24:00Z",
>"level":"INFO",
>"logger":"org.apache.tomcat.util.net.AbstractEndpoint.logCertificate"
> 
> "message":"{\"tlsVirtualHost\":\"_default_\",\"tlsCertificateType\":\"RSA\",
> ... }"
> }
> 
> Isn't this what logstash is for?
> 
> -chris
> 
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Tuesday, January 10, 2023 7:52 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Jon,
> >>
> >> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Yes Chris, It's just for during startup. For a particular instance I
> >>> would like to capture the Certificate Info and Truststore being used
> >>> and pipe that into a separate log/txt file.
> >> So it sounds like just dumping-out the configured certificates, etc.
> >> to something like the debug log from Connector or SSLHostConfig or
> >> similar would work?
> >>
> >> Or would you want that information available to the application so
> >> you can log it in some very specific way? Note that you can already
> >> get the SSLHostConfig info via JMX if you are willing to do that.
> >>
> >> -chris
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructure Engineer
> >>> Asst. Vice President
> >>> He/His
> >>>
> >>> Middleware Product Engineering
> >>> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>>
> >>> 8080 Cobblestone Rd | Urbandale, IA 50322
> >>> MAC: F4469-010
> >>> Tel 515-988-2508 | Cell 515-988-2508
> >>>
> >>> jonmcalexan...@wellsfargo.com
> >>> This message may contain confidential and/or privileged information.
> >>> If you
> >> are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>>
> >>>> -Original Message-
> >>>> From: Christopher Schultz 
> >>>> Sent: Monday, January 9, 2023 8:10 AM
> >>>> To: users@tomcat.apache.org
> >>>> Subject: Re: Basic SSL Certificate Usage logging
> >>>>
> >>>> Jon,
> >>>>
> >>>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>>> Thanks for the info.
> >>>>>
> >>>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>>> I'm thinking that I can add this to the java options as
> >>>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>>> how to specify where to log the information.
> >>>> java.security.debug is really a blunt instrument. It'

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 1/10/23 13:37, jonmcalexan...@wellsfargo.com.INVALID wrote:

Ultimately it would be nice to be able to log it in Jason format for
ingestion by Elastic or something similar.
If you want JSON-formatted logs, then configure JSON-formatted logs. 
JSON embedded in JSON is a little silly:


{
  "timestamp":"2023-01-10T22:24:00Z",
  "level":"INFO",
  "logger":"org.apache.tomcat.util.net.AbstractEndpoint.logCertificate"

"message":"{\"tlsVirtualHost\":\"_default_\",\"tlsCertificateType\":\"RSA\", 
... }"

}

Isn't this what logstash is for?

-chris


-Original Message-----
From: Christopher Schultz 
Sent: Tuesday, January 10, 2023 7:52 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.

So it sounds like just dumping-out the configured certificates, etc. to
something like the debug log from Connector or SSLHostConfig or similar
would work?

Or would you want that information available to the application so you can
log it in some very specific way? Note that you can already get the
SSLHostConfig info via JMX if you are willing to do that.

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.



-Original Message-----
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.

java.security.debug is really a blunt instrument. It's unfortunate
that it's one of the only ways to get information out of the TLS
stack. It would have been great if Java had started using its own
logging system once it was introduced, but no.

That debugging tool always dumps to stdout (or stderr?) and you have
very little control over where it goes.

You would never want to use it for ongoing logging. It truly is for
debugging- only.

The good news is that application code should be able to get the
information you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?

What do you mean "during startup"? I originally read that as "for
incoming connections" thinking that you wanted to log which cert was
used for a particular request. But it sounds like maybe you are
asking for something to just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information.
If you

are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.



-----Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and 

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Ultimately it would be nice to be able to log it in Jason format for ingestion 
by Elastic or something similar.

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, January 10, 2023 7:52 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Jon,
> 
> On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Yes Chris, It's just for during startup. For a particular instance I
> > would like to capture the Certificate Info and Truststore being used
> > and pipe that into a separate log/txt file.
> So it sounds like just dumping-out the configured certificates, etc. to
> something like the debug log from Connector or SSLHostConfig or similar
> would work?
> 
> Or would you want that information available to the application so you can
> log it in some very specific way? Note that you can already get the
> SSLHostConfig info via JMX if you are willing to do that.
> 
> -chris
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Monday, January 9, 2023 8:10 AM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Jon,
> >>
> >> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>> Thanks for the info.
> >>>
> >>> In a nutshell I think the certpath,provider would be sufficient. I'm
> >>> thinking that I can add this to the java options as
> >>> -Djava.security.debug=ssl:certpath,provider however I don't know how
> >>> to specify where to log the information.
> >> java.security.debug is really a blunt instrument. It's unfortunate
> >> that it's one of the only ways to get information out of the TLS
> >> stack. It would have been great if Java had started using its own
> >> logging system once it was introduced, but no.
> >>
> >> That debugging tool always dumps to stdout (or stderr?) and you have
> >> very little control over where it goes.
> >>
> >> You would never want to use it for ongoing logging. It truly is for
> >> debugging- only.
> >>
> >> The good news is that application code should be able to get the
> >> information you are looking for.
> >>
> >> Oh, wait...
> >>
> >>> [...] I'm checking to see if there is any out-of-the-box option to
> >>> capture in a log which SSL certificate and trust keystore is being
> >>> used during startup?
> >> What do you mean "during startup"? I originally read that as "for
> >> incoming connections" thinking that you wanted to log which cert was
> >> used for a particular request. But it sounds like maybe you are
> >> asking for something to just be logged one-time during startup?
> >>
> >> -chris
> >>
> >>>
> >>> Thanks,
> >>>
> >>> Dream * Excel * Explore * Inspire
> >>> Jon McAlexander
> >>> Senior Infrastructu

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Can we include valid to dates?

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, January 10, 2023 8:23 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> On 10/01/2023 13:52, Christopher Schultz wrote:
> > Jon,
> >
> > On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Yes Chris, It's just for during startup. For a particular instance I
> >> would like to capture the Certificate Info and Truststore being used
> >> and pipe that into a separate log/txt file.
> > So it sounds like just dumping-out the configured certificates, etc.
> > to something like the debug log from Connector or SSLHostConfig or
> > similar would work?
> >
> > Or would you want that information available to the application so you
> > can log it in some very specific way? Note that you can already get
> > the SSLHostConfig info via JMX if you are willing to do that.
> 
> How about something like this:
> 
> 10-Jan-2023 14:21:07.951 INFO [main]
> org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
> [https-jsse-nio-8443], TLS virtual host [_default_], Certificate type [RSA]
> configured from [conf/localhost-rsa.jks] using alias [null] and with trust 
> store
> [null]
> 
> ?
> 
> Mark
> 
> >
> > -chris
> >
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >> jonmcalexan...@wellsfargo.com
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>> -Original Message-
> >>> From: Christopher Schultz 
> >>> Sent: Monday, January 9, 2023 8:10 AM
> >>> To: users@tomcat.apache.org
> >>> Subject: Re: Basic SSL Certificate Usage logging
> >>>
> >>> Jon,
> >>>
> >>> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Thanks for the info.
> >>>>
> >>>> In a nutshell I think the certpath,provider would be sufficient.
> >>>> I'm thinking that I can add this to the java options as
> >>>> -Djava.security.debug=ssl:certpath,provider however I don't know
> >>>> how to specify where to log the information.
> >>> java.security.debug is really a blunt instrument. It's unfortunate
> >>> that it's one of the only ways to get information out of the TLS
> >>> stack. It would have been great if Java had started using its own
> >>> logging system once it was introduced, but no.
> >>>
> >>> That debugging tool always dumps to stdout (or stderr?) and you have
> >>> very little control over where it goes.
> >>>
> >>> You would never want to use it for ongoing logging. It truly is for
> >>> debugging-
> >>> only.
> >>>
> >>> The good news is that application code should be able to get the
> >>> information you are looking for.
> >>>
> >>> Oh, wait...
> >>>
> >>>> [...] I'm checking to see if there is any out-of-the-box option to
> >>>>

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Mark,

On 1/10/23 09:22, Mark Thomas wrote:

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. 
to something like the debug log from Connector or SSLHostConfig or 
similar would work?


Or would you want that information available to the application so you 
can log it in some very specific way? Note that you can already get 
the SSLHostConfig info via JMX if you are willing to do that.


How about something like this:

10-Jan-2023 14:21:07.951 INFO [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type 
[RSA] configured from [conf/localhost-rsa.jks] using alias [null] and 
with trust store [null]


?


How about also including the cert fingerprint?

I think that's a very helpful item to include.

-chris


-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate 
that it's one
of the only ways to get information out of the TLS stack. It would 
have been
great if Java had started using its own logging system once it was 
introduced,

but no.

That debugging tool always dumps to stdout (or stderr?) and you have 
very

little control over where it goes.

You would never want to use it for ongoing logging. It truly is for 
debugging-

only.

The good news is that application code should be able to get the 
information

you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for 
incoming

connections" thinking that you wanted to log which cert was used for a
particular request. But it sounds like maybe you are asking for 
something to

just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged 
information. If you
are not the addressee or authorized to receive this for the 
addressee, you
must not use, copy, disclose, or take any action based on this 
message or any
information herein. If you have received this message in error, 
please advise
the sender immediately by reply e-mail and delete this message. 
Thank you

for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier 
(fpr?
serial-number?) in it and indicates at least which server-cert was 
chosen.

Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508





jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged 
information.

If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action
based on this message

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

On 10/01/2023 13:52, Christopher Schultz wrote:

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. to 
something like the debug log from Connector or SSLHostConfig or similar 
would work?


Or would you want that information available to the application so you 
can log it in some very specific way? Note that you can already get the 
SSLHostConfig info via JMX if you are willing to do that.


How about something like this:

10-Jan-2023 14:21:07.951 INFO [main] 
org.apache.tomcat.util.net.AbstractEndpoint.logCertificate
[https-jsse-nio-8443], TLS virtual host [_default_], Certificate type 
[RSA] configured from [conf/localhost-rsa.jks] using alias [null] and 
with trust store [null]


?

Mark



-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose, or take any action based 
on this message or any information herein. If you have received this 
message in error, please advise the sender immediately by reply e-mail 
and delete this message. Thank you for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate 
that it's one
of the only ways to get information out of the TLS stack. It would 
have been
great if Java had started using its own logging system once it was 
introduced,

but no.

That debugging tool always dumps to stdout (or stderr?) and you have 
very

little control over where it goes.

You would never want to use it for ongoing logging. It truly is for 
debugging-

only.

The good news is that application code should be able to get the 
information

you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for 
incoming

connections" thinking that you wanted to log which cert was used for a
particular request. But it sounds like maybe you are asking for 
something to

just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. 
If you
are not the addressee or authorized to receive this for the 
addressee, you
must not use, copy, disclose, or take any action based on this 
message or any
information herein. If you have received this message in error, 
please advise
the sender immediately by reply e-mail and delete this message. Thank 
you

for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier 
(fpr?
serial-number?) in it and indicates at least which server-cert was 
chosen.

Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during star

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 1/9/23 18:17, jonmcalexan...@wellsfargo.com.INVALID wrote:

Yes Chris, It's just for during startup. For a particular instance I
would like to capture the Certificate Info and Truststore being used
and pipe that into a separate log/txt file.
So it sounds like just dumping-out the configured certificates, etc. to 
something like the debug log from Connector or SSLHostConfig or similar 
would work?


Or would you want that information available to the application so you 
can log it in some very specific way? Note that you can already get the 
SSLHostConfig info via JMX if you are willing to do that.


-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Monday, January 9, 2023 8:10 AM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.

java.security.debug is really a blunt instrument. It's unfortunate that it's one
of the only ways to get information out of the TLS stack. It would have been
great if Java had started using its own logging system once it was introduced,
but no.

That debugging tool always dumps to stdout (or stderr?) and you have very
little control over where it goes.

You would never want to use it for ongoing logging. It truly is for debugging-
only.

The good news is that application code should be able to get the information
you are looking for.

Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?

What do you mean "during startup"? I originally read that as "for incoming
connections" thinking that you wanted to log which cert was used for a
particular request. But it sounds like maybe you are asking for something to
just be logged one-time during startup?

-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you

are not the addressee or authorized to receive this for the addressee, you
must not use, copy, disclose, or take any action based on this message or any
information herein. If you have received this message in error, please advise
the sender immediately by reply e-mail and delete this message. Thank you
for your cooperation.



-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI
makes things a little more complicated but we should be able to do

something.

What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and indicates at least which server-cert was chosen.
Then it can trivially be added to e.g. access_log or even to
application code which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508





jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Yes Chris, It's just for during startup. For a particular instance I would like 
to capture the Certificate Info and Truststore being used and pipe that into a 
separate log/txt file.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Monday, January 9, 2023 8:10 AM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Jon,
> 
> On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:
> > Thanks for the info.
> >
> > In a nutshell I think the certpath,provider would be sufficient. I'm
> > thinking that I can add this to the java options as
> > -Djava.security.debug=ssl:certpath,provider however I don't know how
> > to specify where to log the information.
> java.security.debug is really a blunt instrument. It's unfortunate that it's 
> one
> of the only ways to get information out of the TLS stack. It would have been
> great if Java had started using its own logging system once it was introduced,
> but no.
> 
> That debugging tool always dumps to stdout (or stderr?) and you have very
> little control over where it goes.
> 
> You would never want to use it for ongoing logging. It truly is for debugging-
> only.
> 
> The good news is that application code should be able to get the information
> you are looking for.
> 
> Oh, wait...
> 
> > [...] I'm checking to see if there is any out-of-the-box option to
> > capture in a log which SSL certificate and trust keystore is being
> > used during startup?
> What do you mean "during startup"? I originally read that as "for incoming
> connections" thinking that you wanted to log which cert was used for a
> particular request. But it sounds like maybe you are asking for something to
> just be logged one-time during startup?
> 
> -chris
> 
> >
> > Thanks,
> >
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Senior Infrastructure Engineer
> > Asst. Vice President
> > He/His
> >
> > Middleware Product Engineering
> > Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> >
> > jonmcalexan...@wellsfargo.com
> > This message may contain confidential and/or privileged information. If you
> are not the addressee or authorized to receive this for the addressee, you
> must not use, copy, disclose, or take any action based on this message or any
> information herein. If you have received this message in error, please advise
> the sender immediately by reply e-mail and delete this message. Thank you
> for your cooperation.
> >
> >> -Original Message-
> >> From: Christopher Schultz 
> >> Sent: Friday, January 6, 2023 2:41 PM
> >> To: users@tomcat.apache.org
> >> Subject: Re: Basic SSL Certificate Usage logging
> >>
> >> Mark,
> >>
> >> On 1/6/23 15:00, Mark Thomas wrote:
> >>> Hi Jon,
> >>>
> >>> In a word, no. Sorry.
> >>>
> >>> Some sort of info log message probably makes sense for this. SNI
> >>> makes things a little more complicated but we should be able to do
> something.
> >>> What is the minimum info you'd like to see?
> >>
> >> How about adding a request attribute with some kind of identifier (fpr?
> >> serial-number?) in it and indicates at least which server-cert was chosen.
> >> Then it can trivially be added to e.g. access_log or even to
> >> application code which wants to do custom logging.
> >>
> >> -chris
> >>
> >>> On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >>>> Good afternoon and Happy New Year,
> >>>>
> >>>> I know about the SSL debug logging, however, I'm checking to see if
> >>>> there is any o

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Jon,

On 1/6/23 15:53, jonmcalexan...@wellsfargo.com.INVALID wrote:

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm
thinking that I can add this to the java options as
-Djava.security.debug=ssl:certpath,provider however I don't know how
to specify where to log the information.
java.security.debug is really a blunt instrument. It's unfortunate that 
it's one of the only ways to get information out of the TLS stack. It 
would have been great if Java had started using its own logging system 
once it was introduced, but no.


That debugging tool always dumps to stdout (or stderr?) and you have 
very little control over where it goes.


You would never want to use it for ongoing logging. It truly is for 
debugging-only.


The good news is that application code should be able to get the 
information you are looking for.


Oh, wait...


[...] I'm checking to see if there is any out-of-the-box option to
capture in a log which SSL certificate and trust keystore is being
used during startup?
What do you mean "during startup"? I originally read that as "for 
incoming connections" thinking that you wanted to log which cert was 
used for a particular request. But it sounds like maybe you are asking 
for something to just be logged one-time during startup?


-chris



Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.


-Original Message-
From: Christopher Schultz 
Sent: Friday, January 6, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Basic SSL Certificate Usage logging

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI makes
things a little more complicated but we should be able to do something.
What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr?
serial-number?) in it and indicates at least which server-cert was chosen.
Then it can trivially be added to e.g. access_log or even to application code
which wants to do custom logging.

-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if
there is any out-of-the-box option to capture in a log which SSL
certificate and trust keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508



jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>

This message may contain confidential and/or privileged information.
If you are not the addressee or authorized to receive this for the
addressee, you must not use, copy, disclose, or take any action based
on this message or any information herein. If you have received this
message in error, please advise the sender immediately by reply
e-mail and delete this message. Thank you for your cooperation.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Basic SSL Certificate Usage logging

[jonmcalexander]

Hi Mark,

Thanks for the info.

In a nutshell I think the certpath,provider would be sufficient. I'm thinking 
that I can add this to the java options as 
-Djava.security.debug=ssl:certpath,provider however I don't know how to specify 
where to log the information.

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

> -Original Message-
> From: Christopher Schultz 
> Sent: Friday, January 6, 2023 2:41 PM
> To: users@tomcat.apache.org
> Subject: Re: Basic SSL Certificate Usage logging
> 
> Mark,
> 
> On 1/6/23 15:00, Mark Thomas wrote:
> > Hi Jon,
> >
> > In a word, no. Sorry.
> >
> > Some sort of info log message probably makes sense for this. SNI makes
> > things a little more complicated but we should be able to do something.
> > What is the minimum info you'd like to see?
> 
> How about adding a request attribute with some kind of identifier (fpr?
> serial-number?) in it and indicates at least which server-cert was chosen.
> Then it can trivially be added to e.g. access_log or even to application code
> which wants to do custom logging.
> 
> -chris
> 
> > On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:
> >> Good afternoon and Happy New Year,
> >>
> >> I know about the SSL debug logging, however, I'm checking to see if
> >> there is any out-of-the-box option to capture in a log which SSL
> >> certificate and trust keystore is being used during startup?
> >>
> >> Thanks,
> >>
> >> Dream * Excel * Explore * Inspire
> >> Jon McAlexander
> >> Senior Infrastructure Engineer
> >> Asst. Vice President
> >> He/His
> >>
> >> Middleware Product Engineering
> >> Enterprise CIO | EAS | Middleware | Infrastructure Solutions
> >>
> >> 8080 Cobblestone Rd | Urbandale, IA 50322
> >> MAC: F4469-010
> >> Tel 515-988-2508 | Cell 515-988-2508
> >>
> >>
> jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
> >> This message may contain confidential and/or privileged information.
> >> If you are not the addressee or authorized to receive this for the
> >> addressee, you must not use, copy, disclose, or take any action based
> >> on this message or any information herein. If you have received this
> >> message in error, please advise the sender immediately by reply
> >> e-mail and delete this message. Thank you for your cooperation.
> >>
> >>
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Christopher Schultz]

Mark,

On 1/6/23 15:00, Mark Thomas wrote:

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI makes 
things a little more complicated but we should be able to do something. 
What is the minimum info you'd like to see?


How about adding a request attribute with some kind of identifier (fpr? 
serial-number?) in it and indicates at least which server-cert was 
chosen. Then it can trivially be added to e.g. access_log or even to 
application code which wants to do custom logging.


-chris


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if 
there is any out-of-the-box option to capture in a log which SSL 
certificate and trust keystore is being used during startup?


Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information. 
If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose, or take any action based 
on this message or any information herein. If you have received this 
message in error, please advise the sender immediately by reply e-mail 
and delete this message. Thank you for your cooperation.





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Basic SSL Certificate Usage logging

[Mark Thomas]

Hi Jon,

In a word, no. Sorry.

Some sort of info log message probably makes sense for this. SNI makes 
things a little more complicated but we should be able to do something. 
What is the minimum info you'd like to see?


Mark


On 06/01/2023 18:52, jonmcalexan...@wellsfargo.com.INVALID wrote:

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if there is 
any out-of-the-box option to capture in a log which SSL certificate and trust 
keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Basic SSL Certificate Usage logging

[jonmcalexander]

Good afternoon and Happy New Year,

I know about the SSL debug logging, however, I'm checking to see if there is 
any out-of-the-box option to capture in a log which SSL certificate and trust 
keystore is being used during startup?

Thanks,

Dream * Excel * Explore * Inspire
Jon McAlexander
Senior Infrastructure Engineer
Asst. Vice President
He/His

Middleware Product Engineering
Enterprise CIO | EAS | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com<mailto:jonmcalexan...@wellsfargo.com>
This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

Re: SSL certificate makes site dont work

[Christopher Schultz]

Carles,

On 9/22/20 08:57, Carles Franquesa wrote:
> Trying to install an SSL certificate on 8.5.57.
> 
> Once created the cert files, and with a jks available, and set in a
> connector into server.xml file, cannot connect to the page.
> 
> The connectors code is
> 
> '''
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> clientAuth="false"
> sslProtocol="TLS"
> keystoreFile="/opt/tomcat/certificat/app.aprenonline.eu.jks"
> keystoreType="JKS" keystorePass="***"/>
> 
> 
> 
> '''
> 
> When trying to connect from the browser, the status bar says "trying to
> make a secure connection..." but it hangs at this pont.

What URL is showing in the browser?

Are there any errors or warnings during startup in the log files?

-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL certificate makes site dont work

[Carles Franquesa]

Hi,

Trying to install an SSL certificate on 8.5.57.

Once created the cert files, and with a jks available, and set in a
connector into server.xml file, cannot connect to the page.

The connectors code is

'''





'''

When trying to connect from the browser, the status bar says "trying to
make a secure connection..." but it hangs at this pont.

Any help would be appreciated

Carles

Re: Support Request for problem with problem running SSL certificate on tomcat 8

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Munzer,

On 8/10/19 18:31, Munzer Khatib wrote:
> I noticed i made some typos in the commands i listed here because i
> was testing.. I started testing with Tomcat10 keystore and then the
> last rekey was for Tomcat14 keystore. All the commands reference
> the Tomcat 14 keystore.

Can you please re-post a corrected list of commands? It will
definitely help.

Did you see my separate reply about missing the keyAlias configuration
attribute? It's almost certainly the root cause of (and solution to)
your problem.

> I did export the certificate to PK#12 and still will try to extract
> private key using openssl.
> 
> Do you think this problem might be due to incompatibility between 
> keytool java version and certificate and Tomcat 8.0 release? The 
> machine has an older Windows 2008 server.
Nope. PKCS12 is a standard format and all currently-released versions
of Java support it -- correctly, as far as I can tell. You can use
keytool from any version of Java to prepare a keystore to be used by
an other version of Java.

Newer versions of Tomcat can use either a JSSE-readable file format
(like PKCS12, JKS, JCEKS, etc.) *or* the simpler PEM-encoded DER files
that e.g. Apache httpd uses.

- -chris

> On Wednesday, 7 August 2019, 09:07:58 am UTC, logo 
>  wrote:
> 
> Munzer,
> 
> 
> 
> Am 2019-08-07 09:19, schrieb Peter Kreuser:
>> Hi Munzer,
>> 
>> I guess we‘re going a slightly awkward way here, but to fix your
>>  problem with the new cert in the first place, you could use 
>> this:
>> 
>> If your keystore is the old proprietary format, convert it to 
>> PKCS12: keytool -importkeystore -srckeystore keystore.jks 
>> -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias
>> tomcat -deststorepass  -destkeypass  Then
>> extract the key using openssl: openssl pkcs12 -in keystore.p12
>> -nocerts -out key.pem After that recombine it with the new cert.
>> I‘ve found this here: https://security.stackexchange.com/a/66865
>> 
>> There has to be an easier way, but as your keystore is causing 
>> troubles, I‘m not really able to troubleshoot that.
>> 
> 
> now I've replayed your commands and selfsigned the csr with my ca. 
> I see the same behaviour on tomcat10.keystore!
> 
> BT! If I replace tomcat14.keystore in the first two commands 
> with tomcat10.keystore the generated cert is imported as a 
> PrivateKeyEntry. :-)
> 
> Well IF you did it like you send in the first mail, you imported 
> the ca and the intermediate certificate into a different (unused?) 
> keystore!!!
> 
> Could you please doublecheck?
> 
> 
> Peter
> 
> BTW: did you get warnings on the console that the JKS-keystore 
> format is a proprietary format and should be converted to pkcs12?
> 
> 
>> After all, you may have to reread on cert handling with keytool 
>> vs. openssl. I prefer the openssl way ;-).
>> 
>> Peter
>> 
>> 
>> 
>> Peter Kreuser
>>> Am 06.08.2019 um 19:50 schrieb Munzer Khatib 
>>> :
>>> 
>>> Hi Peter I dont have the private key file. That is created
>>> when I create the keystore. I dont know if it can be extracted.
>>>  Munzer On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter
>>> Kreuser  wrote:
>>> 
>>> Hi,
>>> 
>>> 
>>>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib 
>>>> :
>>>> 
>>>> Hi Can you help me with this problem. Problem: Installing
>>>> SSL certificate on Apache Tomcat 8.0.36 fails I am trying to 
>>>> install a new SSL certificate into Apache tomcat 8.0.36.I
>>>> ran same steps ran successfully in 2013 and 2016 on tomcat
>>>> 7. Nothing changed other than moving the virtual machine
>>>> from old server to new hardware this year. Windows Server
>>>> 2008 is still the same Operating system. I created a keystore
>>>> and extracted CSR, generated certificate using godaddy for
>>>> Apache server and imported to server. I keep getting an SSL 
>>>> handshake errors and I think it is because the certificate 
>>>> entrytype is "trustedcertEntry" and not "privateKey Entry' 
>>>> Here are the steps I used to create the keystore and import 
>>>> certificate to it. 1) Generate a Keystorecd C:\Program 
>>>> Files\Java\jre7\bin keytool -keysize 2048 -genkey -alias 
>>>> tomcat -keyalg RSA  -sigalg SHA256withRSA -keypass secret19 
>>>> -keystore tomcat10.keystore
>>> 
>>>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA 
>>>> -sigalg SHA256

Re: Support Request for problem with problem running SSL certificate on tomcat 8

[Munzer Khatib]

 Hi Peter,
Thank you for your reply. 
I noticed i made some typos in the commands i listed here because i was 
testing.. I started testing with Tomcat10 keystore and then the last rekey was 
for Tomcat14 keystore. All the commands reference the Tomcat 14 keystore.
I did export the certificate to PK#12 and still will try to extract private key 
using openssl. 
Do you think this problem might be due to incompatibility between keytool java 
version and certificate and Tomcat 8.0 release? The machine has an older 
Windows 2008 server.
Thanks,
On Wednesday, 7 August 2019, 09:07:58 am UTC, logo  
wrote:  
 
 Munzer,



Am 2019-08-07 09:19, schrieb Peter Kreuser:
> Hi Munzer,
> 
> I guess we‘re going a slightly awkward way here, but to fix your
> problem with the new cert in the first place, you could use this:
> 
> If your keystore is the old proprietary format, convert it to PKCS12:
> keytool -importkeystore -srckeystore keystore.jks -destkeystore
> keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass
>  -destkeypass 
> Then extract the key using openssl:
> openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
> After that recombine it with the new cert.
> I‘ve found this here: https://security.stackexchange.com/a/66865
> 
> There has to be an easier way, but as your keystore is causing
> troubles, I‘m not really able to troubleshoot that.
> 

now I've replayed your commands and selfsigned the csr with my ca. I see 
the same behaviour on tomcat10.keystore!

BT! If I replace tomcat14.keystore in the first two commands with 
tomcat10.keystore the generated cert is imported as a PrivateKeyEntry. 
:-)

Well IF you did it like you send in the first mail, you imported the ca 
and the intermediate certificate into a different (unused?) keystore!!!

Could you please doublecheck?


Peter

BTW: did you get warnings on the console that the JKS-keystore format is 
a proprietary format and should be converted to pkcs12?


> After all, you may have to reread on cert handling with keytool vs. 
> openssl.
> I prefer the openssl way ;-).
> 
> Peter
> 
> 
> 
> Peter Kreuser
>> Am 06.08.2019 um 19:50 schrieb Munzer Khatib 
>> :
>> 
>> Hi Peter
>> I dont have the private key file. That is created when I create the 
>> keystore. I dont know if it can be extracted.
>> Munzer
>>    On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser 
>>  wrote:
>> 
>> Hi,
>> 
>> 
>>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib 
>>> :
>>> 
>>> Hi
>>> Can you help me with this problem.
>>> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
>>> I am trying to install a new SSL certificate into Apache tomcat 
>>> 8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 
>>> 7. Nothing changed other than moving the virtual machine from old 
>>> server to new hardware this year. Windows Server 2008 is still the 
>>> same Operating system.
>>> I created a keystore and extracted CSR, generated certificate using 
>>> godaddy for Apache server and imported to server. I keep getting an 
>>> SSL handshake errors and I think it is because the certificate 
>>> entrytype is "trustedcertEntry" and not "privateKey Entry'
>>> Here are the steps I used to create the keystore and import 
>>> certificate to it.
>>> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
>>> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg 
>>> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
>> 
>>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg 
>>> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>>> 
>>> 3) Generate certificates on godaddy site for "Apache" server (not 
>>> tomcat)
>>> 4) Install root, intermediate and user certificate
>>> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts 
>>> -file c:\cert_2022\gd-class2-root.crt
>>> 
>>> keytool -import -alias intermediate -keystore tomcat14.keystore 
>>> -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
>>> keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
>>> c:\cert_2019\508c844632c0145.crt
>> 
>> I‘ve not found a keytool command for that. I use openssl to convert 
>> the PEM to pkcs12/keystore format
>> 
>> Care to try the following command?
>> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat 
>> -certfile fullchain.pem -passout pass:changeit -out jssekeystore
>> 
>> Peter
>> 
>>> I am not sure why but it seems the new

Re: Support Request for problem with problem running SSL certificate on tomcat 8

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Munzer,

On 8/5/19 20:42, Munzer Khatib wrote:
> Here are the steps I used to create the keystore and import
> certificate to it.

These steps look okay, with the exception that Peter (logo) pointed
out: you have used two different keystores in your commands. Also, you
have tomcat10.keystore in your configuration and I think you might
want to be using tomcat14.keystore. Whichever keystore you use, you
need to be consistent. Feel free to make a backup copy after you
generate your CSR just in case you make a mistake and damage the key
store.

> C:\Program Files\Java\jre7\bin>keytool -list -keystore
> tomcat10.keystoreEnter keystore password: Keystore type:
> JKSKeystore provider: SUN Your keystore contains 3 entries root,
> Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate,
> Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul
> 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1):
> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E

Okay, that's the first entry in the file. What about the other two?

> 
> I also tried creating a PEM text file for all certificates and
> importing that into private key alias tomcat but it only imported
> the domain certificate as "trustedcertentry" My server xml file
> connector config is like this protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443"
> compression="on" URIEncoding="UTF-8" compressionMinSize="2048"
> noCompressionUserAgents="gozilla, traviata"
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/java
script,text/json,application/json"/> port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
> secure="true" clientAuth="false" sslProtocol="TLS"
> SSLEnabled="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA3
84,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS
_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password"
> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>
> 

You are missing a "keyAlias" attribute. You'll want:

keyAlias="tomcat"

In that  configuration. Otherwise, Tomcat will use the
first entry found in the keystore.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl1MKqcACgkQHPApP6U8
pFhGWRAAxR38krdkv0T4UpZSgvPvhFFm5rNMaxG2JKMusybjQwO3/7H9sg6hi4TZ
XKlwrH3iqn4qcAl2GtT4oYy9VwZjoo4GPuaJzTl+qZ1gbX0vFw7YtwfKrnYVWv5A
IXprhCvZPXjIDEBgNNOoHaX9sAI0APvk6d8HDNtD/d5etqL5KxEZ3vP8o2vyV1A1
nNK0Q5wFXOxfUFpNCoGzUUdOGOAopzUtj9qmdJERi3XvGwho2IoVPfdd60Hk+/Qi
62LzTn/+rckKXhNk2A6Zgek4qFxbl60w0MpaogTPhMhC4ouQaUmy0CugBuKZfYuE
YjJzsJzlGDpXQHbOgX/wkSYhC+3Au9j1TXvflSuQG9MljtRwKKCjt3WzWHLzM30Q
/kXhFOOglIfXJ8PQdO4OUG3O0sFKbpeKNVrEy6CquhRHbYRpA1DgZPNp86oRoEnc
zPO7aqjC/hxTS9zhfCmUx1ZCb3sJg/hXuUkSi8//6UEkOLORY5qN0p2OApl+ft2j
jkoWRdvXrmQhKl0fuO5Mot27M2uOGJ/UGB2Ed0vsNOGlD2/UNg3Yz8oHi3xv1Zu0
B6tqVaRP164vHunB2ka5tGJ7jyQPw3P1Mr9Z9bbHIyKsM8ckb2QSbrKUlcsQ28gv
FT/merQctDyMS0zHVYzUobfqujE8EqC33Cyq5eedWhqGFGQpwsM=
=lp+s
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Support Request for problem with problem running SSL certificate on tomcat 8

[logo]

Munzer,



Am 2019-08-07 09:19, schrieb Peter Kreuser:

Hi Munzer,

I guess we‘re going a slightly awkward way here, but to fix your
problem with the new cert in the first place, you could use this:

If your keystore is the old proprietary format, convert it to PKCS12:
keytool -importkeystore -srckeystore keystore.jks -destkeystore
keystore.p12 -deststoretype PKCS12 -srcalias tomcat -deststorepass
 -destkeypass 
Then extract the key using openssl:
openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
After that recombine it with the new cert.
I‘ve found this here: https://security.stackexchange.com/a/66865

There has to be an easier way, but as your keystore is causing
troubles, I‘m not really able to troubleshoot that.



now I've replayed your commands and selfsigned the csr with my ca. I see 
the same behaviour on tomcat10.keystore!


BT! If I replace tomcat14.keystore in the first two commands with 
tomcat10.keystore the generated cert is imported as a PrivateKeyEntry. 
:-)


Well IF you did it like you send in the first mail, you imported the ca 
and the intermediate certificate into a different (unused?) keystore!!!


Could you please doublecheck?


Peter

BTW: did you get warnings on the console that the JKS-keystore format is 
a proprietary format and should be converted to pkcs12?



After all, you may have to reread on cert handling with keytool vs. 
openssl.

I prefer the openssl way ;-).

Peter



Peter Kreuser
Am 06.08.2019 um 19:50 schrieb Munzer Khatib 
:


Hi Peter
I dont have the private key file. That is created when I create the 
keystore. I dont know if it can be extracted.

Munzer
   On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser 
 wrote:


Hi,


Am 06.08.2019 um 02:42 schrieb Munzer Khatib 
:


Hi
Can you help me with this problem.
Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
I am trying to install a new SSL certificate into Apache tomcat 
8.0.36.I ran same steps ran successfully in 2013 and 2016 on tomcat 
7. Nothing changed other than moving the virtual machine from old 
server to new hardware this year. Windows Server 2008 is still the 
same Operating system.
I created a keystore and extracted CSR, generated certificate using 
godaddy for Apache server and imported to server. I keep getting an 
SSL handshake errors and I think it is because the certificate 
entrytype is "trustedcertEntry" and not "privateKey Entry'
Here are the steps I used to create the keystore and import 
certificate to it.

1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg 
SHA256withRSA -keypass secret19 -keystore tomcat10.keystore


2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg 
SHA256withRSA -keystore tomcat10.keystore -file file10.csr


3) Generate certificates on godaddy site for "Apache" server (not 
tomcat)

4) Install root, intermediate and user certificate
keytool -import -alias root -keystore tomcat14.keystore -trustcacerts 
-file c:\cert_2022\gd-class2-root.crt


keytool -import -alias intermediate -keystore tomcat14.keystore 
-trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
c:\cert_2019\508c844632c0145.crt


I‘ve not found a keytool command for that. I use openssl to convert 
the PEM to pkcs12/keystore format


Care to try the following command?
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat 
-certfile fullchain.pem -passout pass:changeit -out jssekeystore


Peter

I am not sure why but it seems the new one is not linking all 
certificates into the private key.
I tried many different imports and it would never import the server 
certificate as a "privateKeyentry" as the one running now.C:\Program 
Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter 
keystore password:

Keystore type: JKSKeystore provider: SUN
Your keystore contains 3 entries
root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, 
Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 
22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E


I also tried creating a PEM text file for all certificates and 
importing that into private key alias tomcat but it only imported the 
domain certificate as "trustedcertentry"
My server xml file connector config is like thisport="8080" protocol="HTTP/1.1" connectionTimeout="2" 
redirectPort="8443" compression="on" URIEncoding="UTF-8" 
compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" 
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application

Re: Support Request for problem with problem running SSL certificate on tomcat 8

[Peter Kreuser]

Hi Munzer,

I guess we‘re going a slightly awkward way here, but to fix your problem with 
the new cert in the first place, you could use this:

If your keystore is the old proprietary format, convert it to PKCS12:
keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 
-deststoretype PKCS12 -srcalias tomcat -deststorepass  -destkeypass 

Then extract the key using openssl:
openssl pkcs12 -in keystore.p12 -nocerts -out key.pem
After that recombine it with the new cert.
I‘ve found this here: https://security.stackexchange.com/a/66865

There has to be an easier way, but as your keystore is causing troubles, I‘m 
not really able to troubleshoot that.

After all, you may have to reread on cert handling with keytool vs. openssl.
I prefer the openssl way ;-).

Peter



Peter Kreuser
> Am 06.08.2019 um 19:50 schrieb Munzer Khatib :
> 
> Hi Peter
> I dont have the private key file. That is created when I create the keystore. 
> I dont know if it can be extracted.
> Munzer
>On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser 
>  wrote:  
> 
> Hi,
> 
> 
>> Am 06.08.2019 um 02:42 schrieb Munzer Khatib :
>> 
>> Hi
>> Can you help me with this problem.
>> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
>> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran 
>> same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed 
>> other than moving the virtual machine from old server to new hardware this 
>> year. Windows Server 2008 is still the same Operating system.
>> I created a keystore and extracted CSR, generated certificate using godaddy 
>> for Apache server and imported to server. I keep getting an SSL handshake 
>> errors and I think it is because the certificate entrytype is 
>> "trustedcertEntry" and not "privateKey Entry'
>> Here are the steps I used to create the keystore and import certificate to 
>> it.
>> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
>> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg 
>> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore
> 
>> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg 
>> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
>> 
>> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
>> 4) Install root, intermediate and user certificate
>> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file 
>> c:\cert_2022\gd-class2-root.crt
>> 
>> keytool -import -alias intermediate -keystore tomcat14.keystore 
>> -trustcacerts -file c:\cert_2022\gd_bundle-g2-g1.crt
>> keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
>> c:\cert_2019\508c844632c0145.crt
> 
> I‘ve not found a keytool command for that. I use openssl to convert the PEM 
> to pkcs12/keystore format
> 
> Care to try the following command?
> openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile 
> fullchain.pem -passout pass:changeit -out jssekeystore
> 
> Peter
> 
>> I am not sure why but it seems the new one is not linking all certificates 
>> into the private key.
>> I tried many different imports and it would never import the server 
>> certificate as a "privateKeyentry" as the one running now.C:\Program 
>> Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore 
>> password:
>> Keystore type: JKSKeystore provider: SUN
>> Your keystore contains 3 entries
>> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
>> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 
>> 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
>> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 
>> 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
>> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
>> 
>> I also tried creating a PEM text file for all certificates and importing 
>> that into private key alias tomcat but it only imported the domain 
>> certificate as "trustedcertentry"
>> My server xml file connector config is like this> port="8080" protocol="HTTP/1.1" connectionTimeout="2" 
>> redirectPort="8443" compression="on" URIEncoding="UTF-8" 
>> compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" 
>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/>>  port="443" protocol="HTTP/1.

Re: Support Request for problem with problem running SSL certificate on tomcat 8

[Munzer Khatib]

 Hi Peter
I dont have the private key file. That is created when I create the keystore. I 
dont know if it can be extracted.
Munzer
On Tuesday, 6 August 2019, 4:35:51 PM UTC, Peter Kreuser 
 wrote:  
 
 Hi,


> Am 06.08.2019 um 02:42 schrieb Munzer Khatib :
> 
> Hi
> Can you help me with this problem.
> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran 
> same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed 
> other than moving the virtual machine from old server to new hardware this 
> year. Windows Server 2008 is still the same Operating system.
> I created a keystore and extracted CSR, generated certificate using godaddy 
> for Apache server and imported to server. I keep getting an SSL handshake 
> errors and I think it is because the certificate entrytype is 
> "trustedcertEntry" and not "privateKey Entry'
> Here are the steps I used to create the keystore and import certificate to it.
> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg 
> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore

> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg 
> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
> 
> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
> 4) Install root, intermediate and user certificate
> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file 
> c:\cert_2022\gd-class2-root.crt
> 
> keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts 
> -file c:\cert_2022\gd_bundle-g2-g1.crt
> keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
> c:\cert_2019\508c844632c0145.crt
> 

I‘ve not found a keytool command for that. I use openssl to convert the PEM to 
pkcs12/keystore format

Care to try the following command?
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile 
fullchain.pem -passout pass:changeit -out jssekeystore

Peter

> I am not sure why but it seems the new one is not linking all certificates 
> into the private key.
> I tried many different imports and it would never import the server 
> certificate as a "privateKeyentry" as the one running now.C:\Program 
> Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore 
> password:
> Keystore type: JKSKeystore provider: SUN
> Your keystore contains 3 entries
> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 
> 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, 
> trustedCertEntry,Certificate fingerprint (SHA1): 
> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
> 
> I also tried creating a PEM text file for all certificates and importing that 
> into private key alias tomcat but it only imported the domain certificate as 
> "trustedcertentry"
> My server xml file connector config is like this         port="8080" protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" 
> compression="on" URIEncoding="UTF-8" compressionMinSize="2048" 
> noCompressionUserAgents="gozilla, traviata" 
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/>  port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" 
> clientAuth="false" sslProtocol="TLS" SSLEnabled="true" 
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
>  TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" 
> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>    
> 
> 
> Tried many different options for keytool command.
> Followed tomcat 8 documentation and godaddy list for installing certificate.
> When I try to access using browser I get this error
> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in 
> Advanced settings and try connecting to https://psscr.xyz.c
> When I use openssl I get handshake failure$openssl s_client -connect 
> 10.60.xx.xx:443CONNECTED(0003)140298896533392:error:14077410:SSL 
> routines:SSL23_

Re: Support Request for problem with problem running SSL certificate on tomcat 8

[Peter Kreuser]

Hi,


> Am 06.08.2019 um 02:42 schrieb Munzer Khatib :
> 
> Hi
> Can you help me with this problem.
> Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
> I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran 
> same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed 
> other than moving the virtual machine from old server to new hardware this 
> year. Windows Server 2008 is still the same Operating system.
> I created a keystore and extracted CSR, generated certificate using godaddy 
> for Apache server and imported to server. I keep getting an SSL handshake 
> errors and I think it is because the certificate entrytype is 
> "trustedcertEntry" and not "privateKey Entry'
> Here are the steps I used to create the keystore and import certificate to it.
> 1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
> keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg 
> SHA256withRSA -keypass secret19 -keystore tomcat10.keystore

> 2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg 
> SHA256withRSA -keystore tomcat10.keystore -file file10.csr
> 
> 3) Generate certificates on godaddy site for "Apache" server (not tomcat)
> 4) Install root, intermediate and user certificate
> keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file 
> c:\cert_2022\gd-class2-root.crt
> 
> keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts 
> -file c:\cert_2022\gd_bundle-g2-g1.crt
> keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
> c:\cert_2019\508c844632c0145.crt
> 

I‘ve not found a keytool command for that. I use openssl to convert the PEM to 
pkcs12/keystore format

Care to try the following command?
openssl pkcs12 -export -in cert.pem -inkey privkey.pem -name tomcat -certfile 
fullchain.pem -passout pass:changeit -out jssekeystore

Peter

> I am not sure why but it seems the new one is not linking all certificates 
> into the private key.
> I tried many different imports and it would never import the server 
> certificate as a "privateKeyentry" as the one running now.C:\Program 
> Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore 
> password:
> Keystore type: JKSKeystore provider: SUN
> Your keystore contains 3 entries
> root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
> 47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 
> 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
> 27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, 
> trustedCertEntry,Certificate fingerprint (SHA1): 
> B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E
> 
> I also tried creating a PEM text file for all certificates and importing that 
> into private key alias tomcat but it only imported the domain certificate as 
> "trustedcertentry"
> My server xml file connector config is like this port="8080" protocol="HTTP/1.1" connectionTimeout="2" redirectPort="8443" 
> compression="on" URIEncoding="UTF-8" compressionMinSize="2048" 
> noCompressionUserAgents="gozilla, traviata" 
> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/json"/>  port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" 
> clientAuth="false" sslProtocol="TLS" SSLEnabled="true" 
> sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" 
> ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, 
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, 
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
>  TLS_RSA_WITH_AES_256_CBC_SHA" keystorePass="password" 
> keystoreFile="C:\Program Files\Java\jre7\bin\tomcat10.keystore"/>
> 
> 
> Tried many different options for keytool command.
> Followed tomcat 8 documentation and godaddy list for installing certificate.
> When I try to access using browser I get this error
> This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in 
> Advanced settings and try connecting to https://psscr.xyz.c
> When I use openssl I get handshake failure$openssl s_client -connect 
> 10.60.xx.xx:443CONNECTED(0003)140298896533392:error:14077410:SSL 
> routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
> failure:s23_clnt.c:769:---no peer certificate available---No client 
> certificate CA names sent---SSL handshake has read 7 bytes and written 289 
> bytes---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT 
> supportedCompression: NONEExpansion: NONENo ALPN negotiatedSSL-Session:
> Protocol  : TLSv1.2Cipher: Session-ID:Session-ID-ctx:
> Master-Key:Key-Arg   : NoneKrb5 Principal: NonePSK identity: None 
>PSK identity hint: NoneStart Time: 1564789174Timeout   : 300 (sec) 
>Verify return code: 0 (ok)
> Thanks,

Support Request for problem with problem running SSL certificate on tomcat 8

[Munzer Khatib]

 Hi
Can you help me with this problem.
Problem: Installing SSL certificate on Apache Tomcat 8.0.36 fails
I am trying to install a new SSL certificate into Apache tomcat 8.0.36.I ran 
same steps ran successfully in 2013 and 2016 on tomcat 7. Nothing changed other 
than moving the virtual machine from old server to new hardware this year. 
Windows Server 2008 is still the same Operating system.
I created a keystore and extracted CSR, generated certificate using godaddy for 
Apache server and imported to server. I keep getting an SSL handshake errors 
and I think it is because the certificate entrytype is "trustedcertEntry" and 
not "privateKey Entry'
Here are the steps I used to create the keystore and import certificate to it.
1) Generate a Keystorecd C:\Program Files\Java\jre7\bin
keytool -keysize 2048 -genkey -alias tomcat -keyalg RSA  -sigalg SHA256withRSA 
-keypass secret19 -keystore tomcat10.keystore

2) Create a CSRkeytool -certreq -alias tomcat -keyalg RSA -sigalg SHA256withRSA 
-keystore tomcat10.keystore -file file10.csr

3) Generate certificates on godaddy site for "Apache" server (not tomcat)
4) Install root, intermediate and user certificate
keytool -import -alias root -keystore tomcat14.keystore -trustcacerts -file 
c:\cert_2022\gd-class2-root.crt

keytool -import -alias intermediate -keystore tomcat14.keystore -trustcacerts 
-file c:\cert_2022\gd_bundle-g2-g1.crt
keytool -import -alias tomcat -keystore tomcat10.keystore  -file 
c:\cert_2019\508c844632c0145.crt

I am not sure why but it seems the new one is not linking all certificates into 
the private key.
I tried many different imports and it would never import the server certificate 
as a "privateKeyentry" as the one running now.C:\Program 
Files\Java\jre7\bin>keytool -list -keystore tomcat10.keystoreEnter keystore 
password:
Keystore type: JKSKeystore provider: SUN
Your keystore contains 3 entries
root, Jul 22, 2019, trustedCertEntry,Certificate fingerprint (SHA1): 
47:BE:AB:C9:22:EA:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8Bintermediate, Jul 22, 
2019, trustedCertEntry,Certificate fingerprint (SHA1): 
27:AC:93:69:FA:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8tomcat, Jul 22, 2019, 
trustedCertEntry,Certificate fingerprint (SHA1): 
B6:27:BE:DF:ED:EF:EF:4D:62:D2:F1:5C:CC:C1:A2:AB:98:60:8E

I also tried creating a PEM text file for all certificates and importing that 
into private key alias tomcat but it only imported the domain certificate as 
"trustedcertentry"
My server xml file connector config is like this            

Tried many different options for keytool command.
Followed tomcat 8 documentation and godaddy list for installing certificate.
When I try to access using browser I get this error
This page can’t be displayed Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced 
settings and try connecting to https://psscr.xyz.c
When I use openssl I get handshake failure$openssl s_client -connect 
10.60.xx.xx:443CONNECTED(0003)140298896533392:error:14077410:SSL 
routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake 
failure:s23_clnt.c:769:---no peer certificate available---No client certificate 
CA names sent---SSL handshake has read 7 bytes and written 289 bytes---New, 
(NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: 
NONEExpansion: NONENo ALPN negotiatedSSL-Session:    Protocol  : TLSv1.2    
Cipher    :     Session-ID:    Session-ID-ctx:    Master-Key:    Key-Arg   
: None    Krb5 Principal: None    PSK identity: None    PSK identity hint: None 
   Start Time: 1564789174    Timeout   : 300 (sec)    Verify return code: 0 (ok)
Thanks,

Re: SSL Certificate Renewal

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Nitin,

On 6/18/19 13:50, Nitin Kadam wrote:
> Hello,
> 
> I want to renew current SSL certificate So I am confused. Do I need
> to recreate keystore and csr for new certificate.
> 
> If I have to create new keystore, how I can create same on existing
> running setup.

You do not need to create a new key, but it would be a goods idea to
create a new one, just in case your old key has been compromised. It's
really not that complicated to create a new key.

Keep your old keystore with no changes. Create a new keystore with a
new key and new certificate. Get the cert signed by a CA and import
the signed cert back into your keystore, along with any of the CA's
intermediate certificates that may be necessary.

This process has been documented many many times on the web.

- -chris

> On Thu, Jun 13, 2019, 12:11 PM Ognjen Blagojevic < 
> ognjen.d.blagoje...@gmail.com> wrote:
> 
>> Nitin,
>> 
>> On 13.6.2019. 07.37, Nitin Kadam wrote:
>>> I have apache tomcat server running with publicly signed SSL
>>> certificate configured in server.xml, the same certificate is
>>> expiring in next week,
>> I
>>> need steps to the to renew of same. *Server OS: Windows 2012
>>> R2* *Apache Tomcat/8.5.38*
>>> 
>>> 1. How to generate new CSR with new key alias 2. How to import
>>> the new. cert & intermediate certificate chain in .jks format 
>>> 3. what about keystore & current key alias
>>> 
>>> 
>>> kindly guide me, as I will be performing same first time.
>> 
>> You can find instructions here:
>> 
>> 
>> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_C
ertificate_from_a_Certificate_Authority
>>
>>
>> 
Regards,
>> Ognjen
>> 
> 
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0JelUACgkQHPApP6U8
pFhG9Q//YUAnPWCgn5LrQrY3KUgj0QIp72vH61MB2zdSs85rfIBLwEXOfALtomHf
p24uRxNvn8hqx8BPRrxwM0Zf2Q0YHd9pBdTww1bb9xTwILqzBQTuzrac8DNnHUDW
HXdOyej3tKiPD0e5Wp9AE9aFoE/56/uqxDTej5bGbE7/Prbwf7ynlNsetHMzBA/u
BOzE7TpJjxDdmqOIm87JGZtrfDGIIV7xzAdZySg6QtkeD7ieSOrIkrBrToUU2MJG
53n79iEJn+yKWCjtfTBG2mWOT9zwCevNo2VjMk6ql2BbVtlCJ6j8RQeEqpnzEtHB
BEECiSAnfRE8wuJ6Ajq/dL3mYcCZrlRyA6XMDA/7GPoiNrlW/cYJ1uxpFbxMiJnm
yX3elf16CgBPRm7yg/TbGqihDIpUtRSWAIhTsa56EzvYV1msqCWt8iWkbOBeeyEd
UyLaP95N0EDptXIgrgOV1dodyDfKDvjgG9KXfiCEI9Owg9Ka73zffGWuB1Af5P/d
+k90Oak8hrDhNjD1E3oqm3wmHi+4rPAH66thxk5M3SV7yRmh+9mbO7XgvPw77EA6
0iWD/JvXOgUw2p/i0Mp4vWMlKE6wLTh4ER/5PKHXK1ZVoD2NfISjky0cpsxmHs/w
7VxnLDDqFyIqaXvDwHaqs0jzL2BWn/V/7ucavFYf7RDeoyg0kh4=
=Du+S
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificate Renewal

[Nitin Kadam]

Hello,

I want to renew current SSL certificate
So I am confused.
Do I need to recreate keystore and csr for new certificate.

If I have to create new keystore, how I can create same on existing running
setup.


On Thu, Jun 13, 2019, 12:11 PM Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Nitin,
>
> On 13.6.2019. 07.37, Nitin Kadam wrote:
> > I have apache tomcat server running with publicly signed SSL certificate
> > configured in server.xml, the same certificate is expiring in next week,
> I
> > need steps to the to renew of same.
> > *Server OS: Windows 2012 R2*
> > *Apache Tomcat/8.5.38*
> >
> > 1. How to generate new CSR with new key alias
> > 2. How to import the new. cert & intermediate certificate chain in .jks
> > format
> > 3. what about keystore & current key alias
> >
> >
> > kindly guide me, as I will be performing same first time.
>
> You can find instructions here:
>
>
> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority
>
> Regards,
> Ognjen
>

Re: SSL Certificate Renewal

[Ognjen Blagojevic]

Nitin

On 13.6.2019. 07.37, Nitin Kadam wrote:

I have apache tomcat server running with publicly signed SSL certificate
configured in server.xml, the same certificate is expiring in next week, I
need steps to the to renew of same.
*Server OS: Windows 2012 R2*
*Apache Tomcat/8.5.38*

1. How to generate new CSR with new key alias
2. How to import the new. cert & intermediate certificate chain in .jks
format
3. what about keystore & current key alias


kindly guide me, as I will be performing same first time.


You can find the instructions here:

http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority

Regards,
Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL Certificate Renewal

[Nitin Kadam]

Hello Team,

I have apache tomcat server running with publicly signed SSL certificate
configured in server.xml, the same certificate is expiring in next week, I
need steps to the to renew of same.
*Server OS: Windows 2012 R2*
*Apache Tomcat/8.5.38*

1. How to generate new CSR with new key alias
2. How to import the new. cert & intermediate certificate chain in .jks
format
3. what about keystore & current key alias


kindly guide me, as I will be performing same first time.


-- 
Regards
Nitin Kadam

Re: SSL certificate error in Tomcat 9

[Mark Thomas]

On 12/06/2019 15:45, Support wrote:
> Hi Sir,
> I am using tomcat 9 for my application.
> 
> I got an error with the .keystore file for SSL certificate
> 
> this is my code is this still valid? in tomcat 9
> 
>  maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> keystoreFile="/home/myapp/.keystore" keystorePass="Password"
> sslEnabledProtocols="TLSv1.2"
>   />

No. Your protocol value is not valid. The BIO connector has been
removed. You probably want NIO.

See:
http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Common_Attributes

Search for protocol.

Mark


> 
> 
> 
> Logs:
> 
> 
> 12-Jun-2019 14:19:03.973 WARNING [main]
> org.apache.catalina.startup.SetAllPropertiesRule.begin
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxThreads' to '150' did not find a matching property.
> 12-Jun-2019 14:19:03.973 WARNING [main]
> org.apache.catalina.startup.SetAllPropertiesRule.begin
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLEnabled' to 'true' did not find a matching property.
> 12-Jun-2019 14:19:03.973 WARNING [main]
> org.apache.catalina.startup.SetAllPropertiesRule.begin
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'clientAuth' to 'false' did not find a matching property.
> 12-Jun-2019 14:19:03.973 WARNING [main]
> org.apache.catalina.startup.SetAllPropertiesRule.begin
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslProtocol' to 'TLS' did not find a matching property.
> 12-Jun-2019 14:19:03.973 WARNING [main]
> org.apache.catalina.startup.SetAllPropertiesRule.begin
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'keystoreFile' to '/home/myPP/.keystore' did not find a matching property.
> 12-Jun-2019 14:19:03.973 WARNING [main]
> org.apache.catalina.startup.SetAllPropertiesRule.begin
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'keystorePass' to 'PASSWORD' did not find a matching property.
> 12-Jun-2019 14:19:03.974 WARNING [main]
> org.apache.catalina.startup.SetAllPropertiesRule.begin
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'sslEnabledProtocols' to 'TLSv1.2' did not find a matching property.
> 
> Regards,
> Sandeep Raghav
> 
> Customer Support Engineer
> supp...@xcaptor.com
> Captivate. Engage.
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL certificate error in Tomcat 9

[Support]

Hi Sir,
I am using tomcat 9 for my application.

I got an error with the .keystore file for SSL certificate

this is my code is this still valid? in tomcat 9





Logs:


12-Jun-2019 14:19:03.973 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'maxThreads' to '150' did not find a matching property.
12-Jun-2019 14:19:03.973 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLEnabled' to 'true' did not find a matching property.
12-Jun-2019 14:19:03.973 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'clientAuth' to 'false' did not find a matching property.
12-Jun-2019 14:19:03.973 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslProtocol' to 'TLS' did not find a matching property.
12-Jun-2019 14:19:03.973 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'keystoreFile' to '/home/myPP/.keystore' did not find a matching property.
12-Jun-2019 14:19:03.973 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'keystorePass' to 'PASSWORD' did not find a matching property.
12-Jun-2019 14:19:03.974 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'sslEnabledProtocols' to 'TLSv1.2' did not find a matching property.

Regards,
Sandeep Raghav

Customer Support Engineer
supp...@xcaptor.com
Captivate. Engage.

Re: Please help me in enabling SSL certificate

[Venkataraman Srinivasan]

John,

Thanks.  Now it is working fine. I cleansed the file.

Thanks
Venkat





>>> John Palmer  8/7/2018 9:10 AM >>>
your server.xml shows TWO connectors for port 8443; that second one (with
all the  certificate entries) is then causing the errror:

> Caused by: java.net.BindException: Address already in use

As that one is probably the one you want to be using, delete or comment out
the first connector for port 8443


On Thu, Aug 2, 2018 at 1:24 PM, Venkataraman Srinivasan <
venkataraman.sriniva...@gcrta.org> wrote:

>
> Hi ,
>
> I am using tomcat version 8.5.32
>
>
> I made the below entry  in Server.xml
>
>  
>
> 
> 
>
>
> 
> connectionTimeout="2"
> />
>
>
>
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.
> JSSEImplementation"
> maxThreads="200" secure="true"  scheme="https" >
> keystorePass="x" type="RSA"
> clientAuth="false" SSLEnabled="true"
> sslProtocol="TLS"
>  >
>
> 
>
> '
> When I tried to login, https://webapxt03.rta:8443, the log file
> catalina.2018-08-02.log recorded as below
>
>
> CATALINA.OUT has got entries as below
>
>
> 02-Aug-2018 14:04:24.926 SEVERE [main] 
> org.apache.catalina.core.StandardService.initInternal
> Failed to initialize connector [Connector[HTTP/1.1-8443]]
>  org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:112)
> at org.apache.catalina.core.StandardService.initInternal(
> StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> at org.apache.catalina.core.StandardServer.initInternal(
> StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at org.apache.catalina.connector.Connector.initInternal(
> Connector.java:995)
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> ... 12 more
> Caused by: java.net.BindException: Address already in use
> at sun.nio.ch.Net.bind0(Native Method)
> at sun.nio.ch.Net.bind(Net.java:444)
> at sun.nio.ch.Net.bind(Net.java:436)
> at sun.nio.ch.ServerSocketChannelImpl.bind(
> ServerSocketChannelImpl.java:214)
> at sun.nio.ch.ServerSocketAdaptor.bind(
> ServerSocketAdaptor.java:74)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.
> java:210)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(
> AbstractEndpoint.java:1086)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(
> AbstractJsseEndpoint.java:268)
> at org.apache.coyote.AbstractProtocol.init(
> AbstractProtocol.java:581)
> at org.apache.coyote.http11.AbstractHttp11Protocol.init(
> AbstractHttp11Protocol.java:68)
> at org.apache.catalina.connector.Connector.initInternal(
> Connector.java:993)
> ... 13 more
>
>
> I used SSL/TLS Configuration HOW-TO of Apache Tomcat 7 document
>
>
>
> >>> Christopher Schultz  8/2/2018 12:44 PM
> >>>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Venkataraman,
>
> On 8/2/18 12:14 PM, Venkataraman Srinivasan wrote:
> > Chris,
> >
> > Thanks for your reply.  I will implement your recommendations in my
> > next iterations.
> >
> > Currently I did as below.
> >
> > I copied the keystore file as /home/apexadmin/.keystore
> >
> > and made below entry in server.xml
>
> What version of Tomcat are you using? Which part of the user guide are
> you reading? I just want to make sure you are following the right
> guide for the right version.
>
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="200" redirectPort="8443" scheme="https" >  > certificateFile="/home/apexadmin/.keystore" keystorePass="x"
> > type="RSA" clientAuth="false" SSLEnabled="true" sslProtocol="TLS"
> >>
> >  
>
> You will need to set a few more attributes on the :
>
>SSLEnabled="true"
>secure="true"
>
> The next part depends upon your Tomcat version.
>
> > Opened the port 8443 and recycled tomcat.
>
> The  

Re: Please help me in enabling SSL certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkataraman,

On 8/2/18 2:24 PM, Venkataraman Srinivasan wrote:
> I am using tomcat version 8.5.32

Thanks.

> I made the below entry  in Server.xml
> 
> 
> 
>  
> 
> 
>   port="8443" protocol="HTTP/1.1" connectionTimeout="2" />
> 
> 
> 
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementat
ion"
>
> 
maxThreads="200" secure="true"  scheme="https" >
> ).

If you want to use a keystore, you need to use the
certificateKeystoreFile and certificateKeystorePassword attributes
instead.

> keystorePass="x" type="RSA" clientAuth="false"
> SSLEnabled="true" sslProtocol="TLS"

None of clientAuth, SSLEnabled, or sslProtocol are valid attributes of
a  element.

clientAuth should be SSLHostConfig/@certificateVerification
SSLEnabled should be Connector/@SSLEnabled
sslProtocol should be SSLHostConfig/@sslProtocol

>> 
>  

As John mentions, you have two connectors attempting to use the same
port, which isn't going to work. I'd remove the first one, since it's
obvious you want the second one to be the configured connector.

You also need to set SSLEnabled="true" on the . Nothing
will work without that.

http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support

Also, since you are using Tomcat 8.5, you should probably be using
Tomcat 8.5 configuration style, like you can see in this next section
of the configuration guide:

http://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_S
SLHostConfig

Specifically, you should be using  elements with
 child elements instead of bare  elements
within the connector.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltpo1wACgkQHPApP6U8
pFhVxw//b1ErT5svW9RC2sTcpVCXTsmTG1EhnAIO1Q6dH2TFeL+SOH/v928I50Og
fiANo4SCtu3PeI7cYpbliJlufgaEQvKLn8tMNZN07GUcFSAdo0OlZHuEjBplpqSH
gqkragfZCyPzFX4byTOZzRNmVo6WLJUf5ZkaDUaxJ4gepIt6CJ2ChGqL07fnepZJ
frbd6iIv4WO1/rW+gkqPsgBVRk3+S7q6hHcAxikpu2LuNUDTM4Sq2hAhbRFaiM8r
L64c9KMNhDJB7xgWOk98wjGcRguG/bQ1GXnWzqUPcWTT2YeCGF3YBhVzu3gXG/Iy
E3HCCTN++H2wro90Rim9ZrOsZpQkqonO9nQix9CCB/hH4eTtBoU/DFhKhqO33wwv
gb8IX2xQVtqdX1ddWqCXEDenecwR6biSUYCeXfa5/zET/MI/TOqMeXSdZiv+Ygbc
7yXzFDEfW120RkbDcoM6GZ88SV/3T+XolnmQIBNOXPq9MUmt8zL0kbCPl/zgO13x
q+ACGqQ7YPVUh0mnlH3udff+79uyJxLTaQUQVYN29g7p9v7V2oKz13iHO7A5V0yc
gO7QQdOhC+qCsBugwMNcXzhVtehI68kfx6fIS4ie/yoZ/Rc7Z0qXBoiTtnJkM/Qe
oobgBvPhXEzMOQ/re20zU4v0LjjqP4jqVmLe01djmeq19BAw3D4=
=Lz/l
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[John Palmer]

your server.xml shows TWO connectors for port 8443; that second one (with
all the  certificate entries) is then causing the errror:

> Caused by: java.net.BindException: Address already in use

As that one is probably the one you want to be using, delete or comment out
the first connector for port 8443


On Thu, Aug 2, 2018 at 1:24 PM, Venkataraman Srinivasan <
venkataraman.sriniva...@gcrta.org> wrote:

>
> Hi ,
>
> I am using tomcat version 8.5.32
>
>
> I made the below entry  in Server.xml
>
>  
>
> 
> 
>
>
> 
> connectionTimeout="2"
> />
>
>
>
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.
> JSSEImplementation"
> maxThreads="200" secure="true"  scheme="https" >
> keystorePass="x" type="RSA"
> clientAuth="false" SSLEnabled="true"
> sslProtocol="TLS"
>  >
>
> 
>
> '
> When I tried to login, https://webapxt03.rta:8443, the log file
> catalina.2018-08-02.log recorded as below
>
>
> CATALINA.OUT has got entries as below
>
>
> 02-Aug-2018 14:04:24.926 SEVERE [main] 
> org.apache.catalina.core.StandardService.initInternal
> Failed to initialize connector [Connector[HTTP/1.1-8443]]
>  org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:112)
> at org.apache.catalina.core.StandardService.initInternal(
> StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> at org.apache.catalina.core.StandardServer.initInternal(
> StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:57)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at org.apache.catalina.connector.Connector.initInternal(
> Connector.java:995)
> at org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> ... 12 more
> Caused by: java.net.BindException: Address already in use
> at sun.nio.ch.Net.bind0(Native Method)
> at sun.nio.ch.Net.bind(Net.java:444)
> at sun.nio.ch.Net.bind(Net.java:436)
> at sun.nio.ch.ServerSocketChannelImpl.bind(
> ServerSocketChannelImpl.java:214)
> at sun.nio.ch.ServerSocketAdaptor.bind(
> ServerSocketAdaptor.java:74)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.
> java:210)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(
> AbstractEndpoint.java:1086)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(
> AbstractJsseEndpoint.java:268)
> at org.apache.coyote.AbstractProtocol.init(
> AbstractProtocol.java:581)
> at org.apache.coyote.http11.AbstractHttp11Protocol.init(
> AbstractHttp11Protocol.java:68)
> at org.apache.catalina.connector.Connector.initInternal(
> Connector.java:993)
> ... 13 more
>
>
> I used SSL/TLS Configuration HOW-TO of Apache Tomcat 7 document
>
>
>
> >>> Christopher Schultz  8/2/2018 12:44 PM
> >>>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Venkataraman,
>
> On 8/2/18 12:14 PM, Venkataraman Srinivasan wrote:
> > Chris,
> >
> > Thanks for your reply.  I will implement your recommendations in my
> > next iterations.
> >
> > Currently I did as below.
> >
> > I copied the keystore file as /home/apexadmin/.keystore
> >
> > and made below entry in server.xml
>
> What version of Tomcat are you using? Which part of the user guide are
> you reading? I just want to make sure you are following the right
> guide for the right version.
>
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxThreads="200" redirectPort="8443" scheme="https" >  > certificateFile="/home/apexadmin/.keystore" keystorePass="x"
> > type="RSA" clientAuth="false" SSLEnabled="true" sslProtocol="TLS"
> >>
> >  
>
> You will need to set a few more attributes on the :
>
>SSLEnabled="true"
>secure="true"
>
> The next part depends upon your Tomcat version.
>
> > Opened the port 8443 and recycled tomcat.
>
> The  defined above is listening on port 8080. That is
> unusual; most people would expect port 8080 to be a plaintext HTTP
> 

Re: Please help me in enabling SSL certificate

[Venkataraman Srinivasan]

Hi ,

I am using tomcat version 8.5.32


I made the below entry  in Server.xml

 











   
   
   
   

'
When I tried to login, https://webapxt03.rta:8443, the log file 
catalina.2018-08-02.log recorded as below 


CATALINA.OUT has got entries as below


02-Aug-2018 14:04:24.926 SEVERE [main] 
org.apache.catalina.core.StandardService.initInternal Failed to initialize 
connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.net.BindException: Address already in use
at sun.nio.ch.Net.bind0(Native Method)
at sun.nio.ch.Net.bind(Net.java:444)
at sun.nio.ch.Net.bind(Net.java:436)
at 
sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:214)
at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:210)
at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more


I used SSL/TLS Configuration HOW-TO of Apache Tomcat 7 document



>>> Christopher Schultz  8/2/2018 12:44 PM >>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkataraman,

On 8/2/18 12:14 PM, Venkataraman Srinivasan wrote:
> Chris,
> 
> Thanks for your reply.  I will implement your recommendations in my
> next iterations.
> 
> Currently I did as below.
> 
> I copied the keystore file as /home/apexadmin/.keystore
> 
> and made below entry in server.xml

What version of Tomcat are you using? Which part of the user guide are
you reading? I just want to make sure you are following the right
guide for the right version.

>  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> maxThreads="200" redirectPort="8443" scheme="https" >  certificateFile="/home/apexadmin/.keystore" keystorePass="x"
> type="RSA" clientAuth="false" SSLEnabled="true" sslProtocol="TLS"
>> 
>  

You will need to set a few more attributes on the :

   SSLEnabled="true"
   secure="true"

The next part depends upon your Tomcat version.

> Opened the port 8443 and recycled tomcat.

The  defined above is listening on port 8080. That is
unusual; most people would expect port 8080 to be a plaintext HTTP
port, while port 8443 would be the non-privileged HTTPS port.

Especially for testing, consider leaving the  for port 8080
as it was originally defined (without HTTPS) and configure a second
 for HTTPS on port 8443.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org 
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ 

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjNNYACgkQHPApP6U8
pFi2UQ//SPU5itX1zh/lV/ICZYTOwiSSeF8EQfxWK1bZ9jCx3Pk44AMBRMRQqjl2
HMKRH/LsSMQp5iwtVBFKbjZyjG8btNMnmREUjFkMJHoFUh1IK0WVqybpeUSnl2BH
+TdS6Z9twZd5q9/UybsJZScdgfV9IFECAM9xmG21ty92+xBqkbeSPUc62gf/A783
4P6yAYLIM3ctMHIzjwTJQ78vxTxLjsfrXvQaIC/dGefrKM6dcpxklQ/me4JNp6Lu
GajNkuEhm20u8P172rVFdqr4NgdGlLd6UP3XXeRl1BNnCvvAI9B/HsYQ1ZOZ1pDe
Zh3Jjamdx8neCBoZBCB7Pg/BmyuJ3RQRkA2w4APIMxoY7Bw0aYT2JpZdQqUaLFN+
Omzqf4pjpyFfRYlyhsTmbFviqbaIT4+XJ+SZPt4TYUuqawGp7vRJOTaQwfyJfJq+
he0XNEJWNGOzPjcdyuoJevjLONM0h7fenTAfZUUTkzmLxkMoRMSO9sIkQy46f4Z7
vG7x3MdSvrJKgWEbUSKjsCvtuYfCATf7bPk+1KJQUTMiSmk/E8OVq6q9BrcOVl1Z

Re: Please help me in enabling SSL certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

James,

On 8/2/18 12:17 PM, James H. H. Lampert wrote:
> On 8/2/18, 9:05 AM, Venkataraman Srinivasan wrote:
>> I used below command to create certificate locally.
>> 
>> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA
>> -keystore /opt/tomcat/apache-tomcat-8.5.32/keystore
> 
> Ok. Probably the first thing you need to do is set up your
> connector to use that keystore.

Thanks for your reply, James. I'm going to make a few adjustments to
help newcomers as well as you use the correct terminology in a few place
s.

> If it's a Java Keystore, then presumably you will be using the 
> native/JSSE connector; the other one is for OpenSSL.
Java actually supports a handful of keystore types. Common ones are
JKS (the default up until Java 9, which is Java-specific), JCEKS
(which is still Java-specific and somehow "more secure" but I don't
understand how) and PKCS12, which is an industry-standard. OpenSSL can
use PKCS12 keystores, but usually people use PEM-encoded DER files
(the things that are a bunch of letters and numbers beginning with
either "BEGIN PRIVATE KEY" or "BEGIN CERTIFICATE".

> And there are plenty of web resources explaining that process in 
> detail. This is the one I keep bookmarked for reference:> 
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

This is a good one, but things have changed a bit for configuration
for later versions of Tomcat. Tomcat 8.5 and later specifically have
to have a different kind of configuration for SSL/TLS certificates,
because of the use of Server Name Indication (SNI) to determine which
certificate to show to the client when making a connection.

Remember that the TLS handshake happens before the HTTP headers
(including the "Host" header) can be delivered, and the server can
host certificates for multiple domain names. SNI allows the TLS
handshake to tell the server which hostname it intends to reach once
the TLS handshake has completed and the HTTP conversation begins.

> Once you have the connector working, if you want your server to be 
> trusted by strangers, then you need to get that keystore signed.

Technically, it's the certificate that gets signed, not the keystore.

> Using Keytool (or some other utility, like KeyStore Explorer on a 
> Macintosh), you need to generate a Certificate Signing Request for
> your keystore.
> 
> You would then choose a Certificate Authority, and buy a
> certificate. At some point in the process, you will be asked to
> upload the CSR. You might also be asked to provide some sort of
> proof that you have control over the domain.
> 
> Once the certificate is issued, you would then import the reply

Which is a certificate itself. It's actually YOUR certificate, plus a
signature that proves the CA signed it.

> along with one or more supporting certificates (collectively, a 
> "certificate chain") into your keystore, again using either
> Keytool or some more user-friendly utility, and then plug the
> signed keystore into your server. The Certificate Authority, if
> it's a major one, will probably have detailed instructions specific
> to Tomcat.

They might. But there are a lot of options, so not every guide will be
straightforward to use.

If the Tomcat documentation can't help get things going, it needs to
be updated.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjN1UACgkQHPApP6U8
pFg/XBAAhZQVTigfwjAxoEVEl+gj8Y1vUYY6qb9YwZVogovWWeBw1udV+iN0LhBx
bY+uol18XWzYKQ62OUn0nqOfYGrjcOJTCVWqz7HFNWTtOczmFUmFXsQZN76mOUx1
ynF97carzh74N6kQwP81JYVxZcqMtTwMln+hhSqJ2QtBJ1I8TmXn222QLGA3rT61
U4t1xjbkD+YU4+W4zhA5Z/gfMEBby5zi6YJOq5NHUnPsypypxIUSdIJ0l9T/qWu8
xcCCLtxtg3rqVjn4vi4Lo8/+YIm6IVohU39aOMNnVSjW19FGIKL5zFgWsFV2xy6w
r856GV0+WRDZDikwJegxUaKwt5gwBo5+sop75HMebRx67xazEFsXH3rlmCwloATK
ajv+GUIgWhUcHdhrMbr0DhKynaBSCkM7RUgeWl9CnjZ9L8Ejs2iO7dKu8qzT5/9C
FtFZcoesnST/atEGcZWE5CP9w10HkBactxsg/9juLBHdmGBnOKL547bAdv2xi1XN
3d4OVAj/pfW6GH0gJUrz0Eou7LIQE50niPQszxyqGixK3e7h7fDrKlpRNAQ6cpre
C0jNDYgWsKG7i7XNpuxxdnwpYSm18y3uMQ+BYRW4pNXUqRGWGmjFYponSAtuP9hI
hrHDvAsYdVR7fs+f7Nwn+cjSYxQ7hq0bNAwFrgVc5aLxdpewu/k=
=YXie
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkataraman,

On 8/2/18 12:14 PM, Venkataraman Srinivasan wrote:
> Chris,
> 
> Thanks for your reply.  I will implement your recommendations in my
> next iterations.
> 
> Currently I did as below.
> 
> I copied the keystore file as /home/apexadmin/.keystore
> 
> and made below entry in server.xml

What version of Tomcat are you using? Which part of the user guide are
you reading? I just want to make sure you are following the right
guide for the right version.

>  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> maxThreads="200" redirectPort="8443" scheme="https" >  certificateFile="/home/apexadmin/.keystore" keystorePass="changeit"
> type="RSA" clientAuth="false" SSLEnabled="true" sslProtocol="TLS"
>> 
>  

You will need to set a few more attributes on the :

   SSLEnabled="true"
   secure="true"

The next part depends upon your Tomcat version.

> Opened the port 8443 and recycled tomcat.

The  defined above is listening on port 8080. That is
unusual; most people would expect port 8080 to be a plaintext HTTP
port, while port 8443 would be the non-privileged HTTPS port.

Especially for testing, consider leaving the  for port 8080
as it was originally defined (without HTTPS) and configure a second
 for HTTPS on port 8443.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjNNYACgkQHPApP6U8
pFi2UQ//SPU5itX1zh/lV/ICZYTOwiSSeF8EQfxWK1bZ9jCx3Pk44AMBRMRQqjl2
HMKRH/LsSMQp5iwtVBFKbjZyjG8btNMnmREUjFkMJHoFUh1IK0WVqybpeUSnl2BH
+TdS6Z9twZd5q9/UybsJZScdgfV9IFECAM9xmG21ty92+xBqkbeSPUc62gf/A783
4P6yAYLIM3ctMHIzjwTJQ78vxTxLjsfrXvQaIC/dGefrKM6dcpxklQ/me4JNp6Lu
GajNkuEhm20u8P172rVFdqr4NgdGlLd6UP3XXeRl1BNnCvvAI9B/HsYQ1ZOZ1pDe
Zh3Jjamdx8neCBoZBCB7Pg/BmyuJ3RQRkA2w4APIMxoY7Bw0aYT2JpZdQqUaLFN+
Omzqf4pjpyFfRYlyhsTmbFviqbaIT4+XJ+SZPt4TYUuqawGp7vRJOTaQwfyJfJq+
he0XNEJWNGOzPjcdyuoJevjLONM0h7fenTAfZUUTkzmLxkMoRMSO9sIkQy46f4Z7
vG7x3MdSvrJKgWEbUSKjsCvtuYfCATf7bPk+1KJQUTMiSmk/E8OVq6q9BrcOVl1Z
NXWPHOT3rN0JBtBbZNzmBPz3yYywy5zKD6FTeBwbQDn2Z+KInfMOT7+40954PUXI
j4b4vEL1H0hunoV9hRKUHpeQbLOumITocQ6Wzd9vmo6qA1tys2U=
=lTPy
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[James H. H. Lampert]

On 8/2/18, 9:05 AM, Venkataraman Srinivasan wrote:

I used below command to create certificate locally.

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/tomcat/apache-tomcat-8.5.32/keystore


Ok. Probably the first thing you need to do is set up your connector to 
use that keystore. If it's a Java Keystore, then presumably you will be 
using the native/JSSE connector; the other one is for OpenSSL. And there 
are plenty of web resources explaining that process in detail. This is 
the one I keep bookmarked for reference:


http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Once you have the connector working, if you want your server to be 
trusted by strangers, then you need to get that keystore signed.


Using Keytool (or some other utility, like KeyStore Explorer on a 
Macintosh), you need to generate a Certificate Signing Request for your 
keystore.


You would then choose a Certificate Authority, and buy a certificate. At 
some point in the process, you will be asked to upload the CSR. You 
might also be asked to provide some sort of proof that you have control 
over the domain.


Once the certificate is issued, you would then import the reply, along 
with one or more supporting certificates (collectively, a "certificate 
chain") into your keystore, again using either Keytool or some more 
user-friendly utility, and then plug the signed keystore into your 
server. The Certificate Authority, if it's a major one, will probably 
have detailed instructions specific to Tomcat.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[Venkataraman Srinivasan]

Chris,

Thanks for your reply.  I will implement your recommendations in my next 
iterations.

Currently I did as below.


I copied the keystore file as /home/apexadmin/.keystore

and made below entry in server.xml



   
   
   



Opened the port 8443 and recycled tomcat.

But no use

Thanks
Venkat


>>> Christopher Schultz  8/2/2018 12:09 PM >>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkataraman,

On 8/2/18 12:05 PM, Venkataraman Srinivasan wrote:
> I used below command to create certificate locally.
> 
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
> /opt/tomcat/apache-tomcat-8.5.32/keystore
Okay, so you have a self-signed certificate.

Have you tried anything to configure Tomcat for TLS/SSL? If so, what?

If you haven't tried anything, yet, have you read any documentation on
the Tomcat site for how to configure TLS?

(BTW, you probably have a certificate that doesn't last as long as you
might think, and the key might not have as many bits as you might
like. Consider inspecting the certificate and key to see the details
and decide if it meets your needs. Personally, I always use RSA keys
of at least 4096-bits and use SHA256 signatures on the certificates.
The validity period is up to you. You might also consider using an EC
key+certificate, since the same "strength" key+cert can be processed
with less CPU time than an equivalent RSA key.)

- -chris

>>>> Christopher Schultz  8/2/2018
>>>> 12:03 PM >>>
> Venkataraman,
> 
> On 8/2/18 12:00 PM, Venkataraman Srinivasan wrote:
>> Please help me in enabling SSL certificate in Tomcat Apache 
>> servers.
> 
> Do you already have a certificate signed by a CA?
> 
> What have you already tried?
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> 
> 
> --
> 
> This email has been scanned for spam and viruses. Visit the
> following link to report this email as spam: 
> https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logi 
tem_id=1533225806-BgkdviBw265M_address=venkataraman.srinivasan%40
gcrta.org=1
>
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
> For additional commands, e-mail: users-h...@tomcat.apache.org 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org 
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ 

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjLMIACgkQHPApP6U8
pFhsww/+OYuxpSdXU+twUKitl7UP6njGDFZdB3y6r0MEmv8Y5lzKeZRXr+VAru3r
RDv1kBg6v2ohaAR2+kjZ7xxueIDauaHcvnOCgnrFYq84ZI4vQgWKosaCc78OTv9e
H9jSE6wA29jwvgijSIDn5X3aAHugXVbBD6gKkZcFCOsi7MLmiZGljTie6qe1r+s7
mSF2lRy09TsiQX3c86wEV+Lp0280eRufDvphuu6Kto+AzNy8f4AHSXZ0smHQ8QB4
QM8vm23YXAOwnnbeljWsSdvN0KpjjzedHGzgZqhTKnu+vBiYxBp7+bJ5x9Lld8iS
YaYTFQtOFvG3jcQwptGN2X1e0fPdALOxWblRaIFZNq4U1WwIiOEcrgCTQNnsTOxM
IfEfMYugik7o7l2SwZZV5tqT+H++GehzBvHdXk0r40q+EBaioyws58DvB1/7FSb7
Vk4oKNjfDT5Hq04KMRtXlX7TB940OQuy7ckRF4bB8yUKQai0xqXANIfEQLpCHU6q
xuBM/5UOXjC7/KsEKgwFaLh7LeCLvl/6GLXpf9P3Wtg4Ahb57k61BhU2YsEZVop5
oX+Uf233f2IdUrEOq5/Kj302LP9DGcPZzjX2rWI7CpPEgOahTFpKxvJc4EoqZYah
WpWWL/m9yv57emaBeoxZtZJEfoHz/P8d/kd+x0e6jGq9Tl6yOKg=
=tj+4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
For additional commands, e-mail: users-h...@tomcat.apache.org 


--

This email has been scanned for spam and viruses. Visit the following link to 
report this email as spam:
https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logitem_id=1533226184-8zaWI97tys-m_address=venkataraman.srinivasan%40gcrta.org=1

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkataraman,

On 8/2/18 12:05 PM, Venkataraman Srinivasan wrote:
> I used below command to create certificate locally.
> 
> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
> /opt/tomcat/apache-tomcat-8.5.32/keystore
Okay, so you have a self-signed certificate.

Have you tried anything to configure Tomcat for TLS/SSL? If so, what?

If you haven't tried anything, yet, have you read any documentation on
the Tomcat site for how to configure TLS?

(BTW, you probably have a certificate that doesn't last as long as you
might think, and the key might not have as many bits as you might
like. Consider inspecting the certificate and key to see the details
and decide if it meets your needs. Personally, I always use RSA keys
of at least 4096-bits and use SHA256 signatures on the certificates.
The validity period is up to you. You might also consider using an EC
key+certificate, since the same "strength" key+cert can be processed
with less CPU time than an equivalent RSA key.)

- -chris

>>>> Christopher Schultz  8/2/2018
>>>> 12:03 PM >>>
> Venkataraman,
> 
> On 8/2/18 12:00 PM, Venkataraman Srinivasan wrote:
>> Please help me in enabling SSL certificate in Tomcat Apache 
>> servers.
> 
> Do you already have a certificate signed by a CA?
> 
> What have you already tried?
> 
> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> --
> 
> This email has been scanned for spam and viruses. Visit the
> following link to report this email as spam: 
> https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logi
tem_id=1533225806-BgkdviBw265M_address=venkataraman.srinivasan%40
gcrta.org=1
>
> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjLMIACgkQHPApP6U8
pFhsww/+OYuxpSdXU+twUKitl7UP6njGDFZdB3y6r0MEmv8Y5lzKeZRXr+VAru3r
RDv1kBg6v2ohaAR2+kjZ7xxueIDauaHcvnOCgnrFYq84ZI4vQgWKosaCc78OTv9e
H9jSE6wA29jwvgijSIDn5X3aAHugXVbBD6gKkZcFCOsi7MLmiZGljTie6qe1r+s7
mSF2lRy09TsiQX3c86wEV+Lp0280eRufDvphuu6Kto+AzNy8f4AHSXZ0smHQ8QB4
QM8vm23YXAOwnnbeljWsSdvN0KpjjzedHGzgZqhTKnu+vBiYxBp7+bJ5x9Lld8iS
YaYTFQtOFvG3jcQwptGN2X1e0fPdALOxWblRaIFZNq4U1WwIiOEcrgCTQNnsTOxM
IfEfMYugik7o7l2SwZZV5tqT+H++GehzBvHdXk0r40q+EBaioyws58DvB1/7FSb7
Vk4oKNjfDT5Hq04KMRtXlX7TB940OQuy7ckRF4bB8yUKQai0xqXANIfEQLpCHU6q
xuBM/5UOXjC7/KsEKgwFaLh7LeCLvl/6GLXpf9P3Wtg4Ahb57k61BhU2YsEZVop5
oX+Uf233f2IdUrEOq5/Kj302LP9DGcPZzjX2rWI7CpPEgOahTFpKxvJc4EoqZYah
WpWWL/m9yv57emaBeoxZtZJEfoHz/P8d/kd+x0e6jGq9Tl6yOKg=
=tj+4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[Venkataraman Srinivasan]

I used below command to create certificate locally.

$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/tomcat/apache-tomcat-8.5.32/keystore


Thanks
Venkat



>>> Christopher Schultz  8/2/2018 12:03 PM >>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkataraman,

On 8/2/18 12:00 PM, Venkataraman Srinivasan wrote:
> Please help me in enabling SSL certificate in Tomcat Apache
> servers.

Do you already have a certificate signed by a CA?

What have you already tried?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org 
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ 

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjK0kACgkQHPApP6U8
pFgipg//f2c+/duHWneEVxOwKDXJqCVT4pAIZLyAeLuqvG6nY1rYDoyhRaSftAIZ
FTe3WAa8UZRWr2Ky6s234P1EpPJPWtMia7/++/n8/pranCIb6YVlbGm3SuPfncO/
VXtC0CEF0o3yTrnYLS4YTvMQUwlr0C3iqhtW2zDg/fgGdumC6PlYaw7+Qj6Jsc9k
N6Tir53YMyy1hVZu8wQxQ2c+HibQLWwY6YkgdloBqS3CLqBB4WS1NYXSVqqTH8cE
5KgHtDN8kja3T5OzcKCm/59wK/o03g7cLkit7S3mHn5pTkJ1p90HP0I2QzyEPUuN
yCw4liMOX/x2F3XBgfDangH4qABkWwpT5wsAPeJqu9drsE5CLd0ZEs2wz3BHyOzn
XlHKny6R5VBroriaTNmvXav0aY9f+QXOuhWWzDF5UTWPyqcNO/nzDwAdxy4jlykk
u4Yw07y3Yx/lUr6wuGi7gGEM8MdgQlOSfzv/rI2glL5n3hEr9WMr7yuTkM4wvyfp
feARNzAvBTInu++Bb8kB4r/KxJbx/4doCXlOxfR78PxuIP43nklMcwYxBt+suAEP
YU7fqPCVKmY1Urta1z/sBC5HwIFxfA8qa7LyZoOXi42kaULeBR2dydQM8cKoDlh8
BpXPbEbnEUyBMMuSNJtu1c1va7GdbZRJhz6S4LtxcDSYNEYWjJo=
=SLOV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org 
For additional commands, e-mail: users-h...@tomcat.apache.org 


--

This email has been scanned for spam and viruses. Visit the following link to 
report this email as spam:
https://attseg.cloud-protect.net/index01.php?mod_id=11_option=logitem_id=1533225806-BgkdviBw265M_address=venkataraman.srinivasan%40gcrta.org=1


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Andrea,

On 8/2/18 12:03 PM, Andrea Freire wrote:
> You hace to install the native conector

Your statement is false: the native connector is NOT required to
install a TLS certificate in Tomcat.

- -chris

>  From: Venkataraman Srinivasan
>  Sent: Thursday, August 2, 2018
> 11:00:11 AM To: users@tomcat.apache.org Subject: Please help me in
> enabling SSL certificate
> 
> Hi,
> 
> Please help me in enabling SSL certificate in Tomcat Apache
> servers.
> 
> Thanks
> 
> 
> 
> 
> 
> Venkataraman Srinivasan Database Administrator Greater Cleveland
> RTA Desk phone 1-216-356-3028 
> venkataraman.sriniva...@grcta.org<mailto:venkataraman.srinivasan@grcta
.org>
>
> 
[X]
> 
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjK38ACgkQHPApP6U8
pFj/IhAAnHQHp2wghMHDVLkr3MjZDcmmo6tSWTbNs1DR1Qa6VmvIR27Zbr8c5oQ8
fBJ5MMVzuH62t6kjXjnD+9oJo+fHLCDnDnyeIK2B8Q46kULEiJUIFiU+Ck1L8zsh
eLFWPca2h97QfBkTMC7zgrB+S4Sc76dxC9IQ0w8z5ERT2Gg9+d7uQRyfB4liA6rN
SEU42PKCdf9tCb9xCVXx8el0ykr3LD+LIXVCdbhNNrRVIZcPuN5W4y89apQds5UC
5iW83yNvLrUkCbWyiJ47/ZV4r74CJrQUBOX1BTujaaSE08J+gTkfwfW57a6Bf1cC
iRjZRm1jYPrZD9G2kocfWKl6PWQwgNv/hG3CczApcs4DioCwH4Cmq3k1tS2/n3aq
advQ3PN0jIV8MS3T5i4eZWnTzA52qBp1lxblFFmWfL6D2sE/a3i+/ckjhkrheSmR
3YF/Rk3NULN3OXEUGbqxD926O+r6sUDg28LDU8PstRB4Sz9l71jNtcushJlZuHkT
B80ovEihiEn/e64iG16s7DGIq/D5UULymwZaL1BjSOCjIfi2dSndfulpYbI9fwe4
cF9tQiZ2Nvh9LnibpudhYFPw/hkSUpaMjf9TjGDrvydnNDNqHwyd9ZBrYxZ4YzbN
BWrJhufcqx5mmIE/Q6vHFzrL7fggt6CTKLJyx0Re3u5xgDPd9uc=
=tZos
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Venkataraman,

On 8/2/18 12:00 PM, Venkataraman Srinivasan wrote:
> Please help me in enabling SSL certificate in Tomcat Apache
> servers.

Do you already have a certificate signed by a CA?

What have you already tried?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjK0kACgkQHPApP6U8
pFgipg//f2c+/duHWneEVxOwKDXJqCVT4pAIZLyAeLuqvG6nY1rYDoyhRaSftAIZ
FTe3WAa8UZRWr2Ky6s234P1EpPJPWtMia7/++/n8/pranCIb6YVlbGm3SuPfncO/
VXtC0CEF0o3yTrnYLS4YTvMQUwlr0C3iqhtW2zDg/fgGdumC6PlYaw7+Qj6Jsc9k
N6Tir53YMyy1hVZu8wQxQ2c+HibQLWwY6YkgdloBqS3CLqBB4WS1NYXSVqqTH8cE
5KgHtDN8kja3T5OzcKCm/59wK/o03g7cLkit7S3mHn5pTkJ1p90HP0I2QzyEPUuN
yCw4liMOX/x2F3XBgfDangH4qABkWwpT5wsAPeJqu9drsE5CLd0ZEs2wz3BHyOzn
XlHKny6R5VBroriaTNmvXav0aY9f+QXOuhWWzDF5UTWPyqcNO/nzDwAdxy4jlykk
u4Yw07y3Yx/lUr6wuGi7gGEM8MdgQlOSfzv/rI2glL5n3hEr9WMr7yuTkM4wvyfp
feARNzAvBTInu++Bb8kB4r/KxJbx/4doCXlOxfR78PxuIP43nklMcwYxBt+suAEP
YU7fqPCVKmY1Urta1z/sBC5HwIFxfA8qa7LyZoOXi42kaULeBR2dydQM8cKoDlh8
BpXPbEbnEUyBMMuSNJtu1c1va7GdbZRJhz6S4LtxcDSYNEYWjJo=
=SLOV
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Please help me in enabling SSL certificate

[Andrea Freire]

You hace to install the native conector

Obtener Outlook para Android<https://aka.ms/ghei36>


From: Venkataraman Srinivasan 
Sent: Thursday, August 2, 2018 11:00:11 AM
To: users@tomcat.apache.org
Subject: Please help me in enabling SSL certificate

Hi,

Please help me in enabling SSL certificate in Tomcat Apache servers.

Thanks





Venkataraman Srinivasan
Database Administrator
Greater Cleveland RTA
Desk phone 1-216-356-3028
venkataraman.sriniva...@grcta.org<mailto:venkataraman.sriniva...@grcta.org>
[X]

Please help me in enabling SSL certificate

[Venkataraman Srinivasan]

Hi,
 
Please help me in enabling SSL certificate in Tomcat Apache servers.
 
Thanks
 

 


Venkataraman Srinivasan
Database Administrator
Greater Cleveland RTA
Desk phone 1-216-356-3028
venkataraman.sriniva...@grcta.org 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: renewing an ssl certificate

[Lyallex]

On 6 April 2017 at 14:18, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Lyllax,
>
> On 4/6/17 5:52 AM, Lyallex wrote:
>> I get a zipped archive from Comodo containing individual files but
>> I'll look into pem files
>
> Oh, those individual files *are* the PEM files.

Er

AddTrustExternalCARoot.crt
COMODORSAAddTrustCA.crt
COMODORSADomainValidationSecureServerCA.crt
www_mydomain_com.crt

> LE is the answer.

I run a commercial site and getting security warn offs because a CA is
not recognised by the browser/user agent
is not an option. I run about 20 different browsers/versions on
several platforms which is about the limit for us (Americans would
call us a 'mom and pop shop') I'll read up on LE and find out what
they call themselves (the 'CA name' I guess) then check to see how
many of my browsers know about them.

Primitave maybe but it's what I got.

Thanks for the info
Lyallex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: renewing an ssl certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Lyllax,

On 4/6/17 5:52 AM, Lyallex wrote:
> I get a zipped archive from Comodo containing individual files but 
> I'll look into pem files

Oh, those individual files *are* the PEM files.

>> Come to this year's ApacheCon NA in Miami. There will be a few
>> talks about TLS, including one on the basics and another one on
>> using Let's Encrypt to get free automated certs so you never have
>> to manually do this process ever again -- unless you want an EV
>> cert ;)
> 
> Love to, but I'm in the UK.

Plenty of folks from Europe (sorry... Mighty Independent Britain, I
guess) are coming to the conference. There's also an EU conference
(almost) every year.

> I delegate payment to a service provider, the only external
> resource I use, so I don't store users financial data, just makes
> life simpler.and means I don't really need an EV cert.

Cool. In that case, consider moving to Let's Encrypt. 100% free and
they *force* you to automated.

> Despite their vehement denial, https is a ranking signal to
> Google, maybe it would be nice if they offered a free basic ssl
> cert so small businesses like mine don't have to pay over GBP 100
> inc VAT every year.

LE is the answer.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY5kAQAAoJEBzwKT+lPKRYr00P/jxeYay/3HdbW1sO8S35x9S4
hVKnjPganMtH7yorfCrANwMtso1o0BOSSmjQr9lkuS8d6c5VqNPoPG7oLq+9dzdD
BtQq/3EbjDBtYogTErHeWycqXY1hiNLO/YcPvnUQiu7HcyaiNhIRFJ+2jUw0NpDB
wsrPUUwTlNKK7ycnHID5cQdHu7FKCQ9sU/CzZ+6O1VrjoYIo3VYrVzMw0Bsb+kOH
xwz2akUNcViyGlcUnJIvYU2voGaHHfFkWYfb91cu+gQDMPci+p5PZsC+1IdNE/TN
9qOEg4uUcE2POILnpFynGxk00LdIlcJmtIqOCcr+BOzq+UjL1x6SrPzZOp4cWrT9
Tr0Be6UDCpfcgYVwqZDmETid6qNbuiza5yHCSReSo9M7n/hiDlbm7Dep2Dlwt0Gr
k+kYnjd9/o4Cd5BP0qWOFbaEAnPhO89QppSw6BKR/VfNAlCz1VbdBfum4n2CW7m7
CzjoiuQyZnNORQltqRjZuzelPafs/Qruyd/Gjsz9vi0xr5tpE0dgfIv5D1XhyZ+p
ATjuTRjcfOjB3DSYtrShyO5dCiNqvOz1HDCn2SmimOCOe4rkWao/MySmDo2JlgHU
Xdu1gn5NHJaYSPpEUjDTOw/KC4jJ9d0XRlrils5M/20dXTRx7OcddWPp3GowbLPc
+bNXjBFGJGzuTPfFt3GH
=X9Di
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[OT] Re: renewing an ssl certificate

[Olaf Kock]

Am 06.04.2017 um 01:42 schrieb Christopher Schultz:
> Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
> have a testing environment, I think you'll be able to do it in about
> 30 minutes. After you do it once, it'll take you more like 5 minutes.
>
*Everybody* has a testing environment. Some of us are lucky in that they
have a completely independent production environment.

(Sorry, I can't attribute this any better than "Source: Internet", saw
it in some conference presentation slides)

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: renewing an ssl certificate

[Lyallex]

On 6 April 2017 at 00:42, Christopher Schultz
 wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Lyllax,
>
> On 4/4/17 3:11 PM, Lyallex wrote:
>> After some sterling support from this list a while ago which
>> included a code change I have been successfully running Apache
>> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a
>> year now without problems, it just works, it never falls over and
>> it has withstood some concerted attacks by all sorts of scallywags.
>> Impressive.
>
> Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
> have a testing environment, I think you'll be able to do it in about
> 30 minutes. After you do it once, it'll take you more like 5 minutes.

Already runnung on my dev and stage boxes



> It should be that simple every time. Again, always keep a backup...

All I do is create a brand new keystore in a new location and do
everything from there
When I'm happy I simply change the location of the keystore in the
relevant connector in conf/server.xml
and restart tomcat. If it all goes belly up I simply change the config
to point to the old keystore.

Of course this only works if you don't leave everything to the last
minute and the old cert times out :-)



>
> When you are using PEM files, it's very clear what everything is, and,
> if you have a one-PEM-file-to-rule-them-all, then you can at least see
> everything labelled appropriately with a simple text editor. You can
> also get your private key out of the bundle without resorting to
> chicanery.

I get a zipped archive from Comodo containing individual files but
I'll look into pem files

> Come to this year's ApacheCon NA in Miami. There will be a few talks
> about TLS, including one on the basics and another one on using Let's
> Encrypt to get free automated certs so you never have to manually do
> this process ever again -- unless you want an EV cert ;)

Love to, but I'm in the UK.
I delegate payment to a service provider, the only external resource I
use, so I don't store
users financial data, just makes life simpler.and means I don't really
need an EV cert.

Despite their vehement denial, https is a ranking signal to Google,
maybe it would be nice if they offered a free basic ssl cert so small
businesses like mine don't have to pay over GBP 100 inc VAT every
year.

I won't hold my breath.

Thanks for taling the time to reply
Lyallex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: renewing an ssl certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Lyllax,

On 4/4/17 3:11 PM, Lyallex wrote:
> After some sterling support from this list a while ago which
> included a code change I have been successfully running Apache
> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a
> year now without problems, it just works, it never falls over and
> it has withstood some concerted attacks by all sorts of scallywags.
> Impressive.

Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you
have a testing environment, I think you'll be able to do it in about
30 minutes. After you do it once, it'll take you more like 5 minutes.

> It is now time to renew my ssl certificate and I'm getting a bit
> jumpy.

No sweat.

> I managed to get everything working first time around following the
> docs at 
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on
_Running_SSL
>
>  According to my service provider (comodo) I have to submit a new 
> certificate signing request which (I think) means creating a self 
> signed certificate.
> 
> Will this mess up me existing cert, it still has 10 days to go?

That depends upon exactly how you do things.

> Is the process the same as installing first time or are there some 
> gotchas I need to be aware of

I would start from scratch every time. Here's why:

1. Java keystores are ... an abomination. The less you have to mess
with them, the better.

2. In the unlikely event that your private key has been compromised
(e.g. someone broke into your server and copied it off there).

3. For conversations that aren't using "forward security", the RSA
private key is the master key to all of those conversations. If
someone (e.g. US-NSA) has compromised your private key and is recoring
all your conversations with your clients, then a compromised key means
a compromise of all of those conversations, past or future. Generating
a new private key limits the amount of damage that can be caused by
this kind of compromise.

4. If you break something, you'll have the old keystore as a backup
and can roll-back immediately without worrying if you have broken
anything in the original keystore. (Of course, you could just make a
backup copy of the keystore, but this start-fresh process has a
built-in backup, so you don't have to remember it.)

> [From a followup post]
> 
> actually all I was asking was 'is it possible to use an existing
> keystore (and therefor an existing private key)' to install a new
> certification chain'

You can, but see above.

> In the end I created a brand new keystore, generated a new private
> key and CSR, submitted the CSR to Comodo then installed the new
> chain when it arrived. Then I simply switched the server
> (../conf/server.xml) to look at the new keystore and it just
> worked. Result.

It should be that simple every time. Again, always keep a backup...
just in case.

> I was under the impression the certs were 'installed' in the
> keystore but I don't think this is right so now I have to figure
> out where they are as I'd like to remove the old ones. Every time I
> mess about with this SSL/TLS stuff I age several years :-)

This is the thing about Java keystores: they merge concepts together
in a way that I dislike. If you crack-open your keystore, you'll end
up finding the following:

1. a private key
2. a self-signed certificate
3. the CA-signed certificate
4. the CA's intermediate certificate (usually)

But "keytool" makes it look like #1 and #2 are the same thing.

When you are using PEM files, it's very clear what everything is, and,
if you have a one-PEM-file-to-rule-them-all, then you can at least see
everything labelled appropriately with a simple text editor. You can
also get your private key out of the bundle without resorting to
chicanery.

Come to this year's ApacheCon NA in Miami. There will be a few talks
about TLS, including one on the basics and another one on using Let's
Encrypt to get free automated certs so you never have to manually do
this process ever again -- unless you want an EV cert ;)

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJY5YDeAAoJEBzwKT+lPKRYhsAQAIQf3n1wMXOCMR/vPbTfrmgC
WprNU79oVAOEi9ZRzYTsK502tVwawvs78u/p7r4GtzcILW0/Ne8ZK61iNWNOxb7E
AHGWVCP5h5gkSdTCcNDpoGIHuEQSisXZA4/X/oYJ/d9vYOEZE8DCdLudq1BPWnkw
4RvGr6aWJKaG13lnYS6GNRTZDavFGWrVYIzGdi/qCLnVKkQwUWANXxMd6iPF2FEp
3ZFeK+X6Go8t9Y7mwRuAd6uwPgTKZx26UazH1qtIMBcgYk7bcmu7wp4mDBKqa/Rh
UUy49qqwKxmKs611bYYlsnYVWCOBcI1KZKFskXqLgF3HWXgJsvUxi6dz1rxvNaMI
qLrC3xlCNVH4sCIhVYPKwQT0r3GBGYh08MBRycg+afd9ac2VZtIJm4W7fEhLF6qa
WJESqbaznczCx6vrNsxlBQbiLAcFhWEEE5i/o2+mQx32PZeFDtPjydUdS8ezIdhU
uY83aRLaTWEIwSN/5aNwd7zyKpTx4qLDdv8sLyq8bXa2LbXcn3HTiPX6qUkj0A/S
2Qq+4z/flYIOi5JYHvcBGh8+xsU3aKqBe7maZH+gakgXvo3Ib3YsaciNQjoK

Re: renewing an ssl certificate

[Lyallex]

Drat ... missed the list

Martin

Thank you for your comprehensive reply ...
actually all I was asking was 'is it possible to use an existing keystore
(and therefor an existing private key)' to install a new certification
chain'

In the end I created a brand new keystore, generated a new private key and
CSR, submitted the CSR to Comodo then installed the new chain when it
arrived. Then I simply switched the server (../conf/server.xml) to look at
the new keystore and it just worked. Result.

Ii was under the impression the certs were 'installed' in the keystore but
I don't think this is right so now I have to figure out where they are as
I'd like to remove the old ones. Every time I mess about with this SSL/TLS
stuff I age several years :-)

Thanks again

On 4 April 2017 at 22:21, Martin Gainty <mgai...@hotmail.com> wrote:

> I dont know who from the list said you could replace a valid SSL
> Certificate (that has since expired)
>
> with a self-signed but they are wrong
>
>
> you are MUCH better off by purchasing a valid Thawte/Verisign Certificate
> with public keys signed by a Certificate Authority which will be recognised by
> ALL browsers
>
>
> Mucking around with create-your-own self-signed certs will lead you to
> justifiable grief and aggravation
>
> First step is to create a CSR for X509 (named)certs embedded in pfx
>
> https://en.wikipedia.org/wiki/X.509
> X.509 - Wikipedia <https://en.wikipedia.org/wiki/X.509>
> en.wikipedia.org
> In cryptography, X.509 is a standard that defines the format of public key
> certificates. X.509 certificates are used in many Internet protocols,
> including TLS/SSL ...
>
> the pfx  will contain Asymmetric private/public keys:
>
> https://www.ciphercloud.com/blog/cloud-information-
> protection-symmetric-vs-asymmetric-encryption/
>
> <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/>
> Symmetric vs. Asymmetric Encryption | CipherCloud
> <https://www.ciphercloud.com/blog/cloud-information-protection-symmetric-vs-asymmetric-encryption/>
> www.ciphercloud.com
> One of the basic questions in considering encryption is to understand the
> differences between symmetric and asymmetric encryption methods, and where
> to apply each ...
>
> first step is to send the CSR to your CA provider Verisign or Thawte
>
> https://knowledge.symantec.com/support/ssl-certificates-
> support/index?page=content=CROSSLINK=INFO227
> Certificate Signing Request (CSR) Generation Instructions ...
> <https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content=CROSSLINK=INFO227>
> knowledge.symantec.com
> To generate a CSR, you will need to create a key pair for your server.
> These two items are a digital certificate key pair and cannot be separated.
>
>
>
> yes you can create self-signed certs but CHROME stops transmission when
> they do not recognise certifying authority
> https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/
> com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html
> Configuring a browser to work with self-signed certificates
> <https://www.ibm.com/support/knowledgecenter/SSCP65_5.0.0/com.ibm.rational.rrdi.admin.doc/topics/t_browser_ss_cert.html>
> www.ibm.com
> When self-signed certificates are installed on the server, configure
> Internet Explorer or Mozilla Firefox to work with these self-signed
> certificates.
>
>
> Let me know if you need further assistance
>
> Martin
> __
>
>  _ _  _ _  _ ___ _
> _   _ _   _  |_   _| |_ ___   |  _  |___ 
> ___ ___| |_ ___   |   __|___|  _| |_ _ _ _ ___ ___ ___   |   __|___ _ _ ___ 
> _| |___| |_|_|___ ___| | |   | -_|  | | . | .'|  _|   | -_|  |__   | 
> . |  _|  _| | | | .'|  _| -_|  |   __| . | | |   | . | .'|  _| | . |   |   
> |_| |_|_|___|  |__|__|  _|__,|___|_|_|___|  |_|___|_| |_| |_|__,|_| 
> |___|  |__|  |___|___|_|_|___|__,|_| |_|___|_|_||_|
>
>
>
>
> --
> *From:* Lyallex <lyal...@gmail.com>
> *Sent:* Tuesday, April 4, 2017 3:11 PM
> *To:* Tomcat Users List
> *Subject:* renewing an ssl certificate
>
> Tomcatters
>
> After some sterling support from this list a while ago which included
> a code change I have been successfully running
> Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for
> a year now without problems, it just works, it never falls over
> and it has withstood some concerted attacks by all sorts of
> scallywags. Impressive.
>
> It is now time to renew my ssl certificate and I'm getting a bit 

renewing an ssl certificate

[Lyallex]

Tomcatters

After some sterling support from this list a while ago which included
a code change I have been successfully running
Apache Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for
a year now without problems, it just works, it never falls over
and it has withstood some concerted attacks by all sorts of
scallywags. Impressive.

It is now time to renew my ssl certificate and I'm getting a bit jumpy.

I managed to get everything working first time around following the docs at
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#General_Tips_on_Running_SSL

According to my service provider (comodo) I have to submit a new
certificate signing request which (I think) means creating a self
signed certificate.
Will this mess up me existing cert, it still has 10 days to go?

Is the process the same as installing first time or are there some
gotchas I need to be aware of

Thanks, nervously
Lyallex

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat under aix has SSL certificate with a weak hash algorithm

[Olaf Kock]

Am 27.09.2016 um 09:20 schrieb Michael Mattes:
> Dear Tomcat users
>
> i have the following problem: I am using tomcat 6.0.45 under aix 7.1 
> (7100-03-05-1524)
>
> i got the below Finding and my question is how can i fix it: ( ihave no 
> experience regarding
> how to handle SSL certificates:
>
> 1.) Can i change something in a config file to fix it
> 2) or have i to use a new certificate. If yes, how do i generate this new 
> certificate
>
> Here is the description of the Finding:
>
> An SSL certificate in the certificate chain has been signed using a weak hash 
> algorithm.
>
> Description :
>
> The remote service uses an SSL certificate chain that has been signed using a 
> cryptographically
> weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature 
> algorithms are known to be
> vulnerable to collision attacks. An attacker can exploit this to generate 
> another certificate
> with the same digital signature, allowing an attacker to masquerade as the 
> affected service.
>
> Note that this plugin reports all SSL certificate chains signed with SHA-1 
> that expire after
> January 1, 2017 as vulnerable. This is in accordance with Google's gradual 
> sunsetting of the
> SHA-1 cryptographic hash algorithm.
>
>
First: This is a good chance to upgrade: Tomcat 6 faces its end of life
at the end of this year.

Regarding your cryptographical problem, the description gives it away:
There's a gradual deprecation of the SHA-1 hashing algorithm and if you
indeed have such a certificate that claims to be valid for longer than
Jan 1, 2017, then there's nothing other than finding that certificate
and replace it with a better one - nowadays you can't get new ones with
SHA-1 any more (issuance in 2016 is another criterion in the list of
deprecation reasons), so anything that you'd get today from a
certification authority should be fine. If you're generating your own
certificate ("self-signed") make sure you choose a proper hashing algorithm.

You don't mention the Java version you're using: As tomcat 6 is
compatible with Java 5 and up, there's also a good chance that you're
running an old JVM that doesn't support all the current algorithms -
this might be another part of your stack to upgrade in order to solve
your problem.

With regards to generating a new certificate: It depends: Do you need a
self-signed cert? Do you need a trusted one? Either way, the machine
connecting to the server using your new cert will need to trust its
issuer (you or a certification authority). Explaining this, with all its
nuances is a bit too much for a mailing list answer. There are numerous
tutorials, step by step instructions and explanations available on the
web - you'll need to search for it and insert your personal requirements
and situation.

Olaf

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat under aix has SSL certificate with a weak hash algorithm

[Michael Mattes]

Dear Tomcat users

i have the following problem: I am using tomcat 6.0.45 under aix 7.1 
(7100-03-05-1524)

i got the below Finding and my question is how can i fix it: ( ihave no 
experience regarding
how to handle SSL certificates:

1.) Can i change something in a config file to fix it
2) or have i to use a new certificate. If yes, how do i generate this new 
certificate

Here is the description of the Finding:

An SSL certificate in the certificate chain has been signed using a weak hash 
algorithm.

Description :

The remote service uses an SSL certificate chain that has been signed using a 
cryptographically
weak hashing algorithm (e.g. MD2, MD4, MD5, or SHA1). These signature 
algorithms are known to be
vulnerable to collision attacks. An attacker can exploit this to generate 
another certificate
with the same digital signature, allowing an attacker to masquerade as the 
affected service.

Note that this plugin reports all SSL certificate chains signed with SHA-1 that 
expire after
January 1, 2017 as vulnerable. This is in accordance with Google's gradual 
sunsetting of the
SHA-1 cryptographic hash algorithm.




 Michael Mattes
 DevIT Boeblingen   Phone: +49-(0)7031-16-1609
 E-mail: mmat...@de.ibm.com
 
 IBM Germany Development Lab
 Schoenaicher Str. 220, 71032 Boeblingen,
 Germany   


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

[Mark Thomas]

On 16/12/2015 13:26, Nithesh Kb wrote:
> [image: Inline image 1]
> 
> 
> Got this mail! ,
> Does it means can we use keystore for APR protocol using this new TC-native
> ??

It needs changes on the Tomcat side as well. Those are currently only
available in the 9.0.x source tree. They will be included in the next
9.0.x release.

Mark


> 
> 
> 
> Thanks,
> Nithesh
> 
>>
>>
> On Wed, Dec 16, 2015 at 1:09 PM, Garcia Aparici, Carlos <cgapar...@indra.es>
> wrote:
> 
>> In many of our tomcats we use the pfx directly on the conector. Its
>> similar to a keystore
>>
>>
>> Enviado de Samsung Mobile
>>
>>
>>
>>  Mensaje original 
>> De: Nithesh Kb <nitheshk...@gmail.com>
>> Fecha: 15/12/2015 16:21 (GMT+01:00)
>> Para: Tomcat Users List <users@tomcat.apache.org>
>> Asunto: Re: Tomcat APR protocol SSL certificate information.
>>
>>
>> *Thanks David,Thomas.*
>> If my understanding is not wrong.
>> Till tomcat version 8, we need to provide cert and key separately for
>> openssl ssl APR, like
>>
>> *(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
>> But tomcat 9 we can use keystore to store cert and key and configure it to
>> connector like  *keystoreFile="/aa/tomcat.**keystore"*
>>
>> *Thanks,*
>> *Nithesh*
>>
>> On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 15/12/2015 15:07, David Newman wrote:
>>>> When you use APR the SSL implementation is coming from openssl instead
>> of
>>>> java.  openssl has no use for java keystore files.  So it becomes more
>>> like
>>>> an apache httpd config with separate files for keys and certificates.
>>>
>>> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
>>> at some point) you can use Java keystores with OpenSSL.
>>>
>>> Mark
>>>
>>>>
>>>> On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <nitheshk...@gmail.com>
>>> wrote:
>>>>
>>>>> HI,
>>>>> I have build APR libraries Openssl and tc-native also i have created
>>>>> openssl libraries. both HTTP and HTTPS is working fine.
>>>>>
>>>>> *openssl genrsa -des3 -out server.key 2048 *
>>>>> *openssl req -new -key server.key -out server.csr*
>>>>> *cp server.key server.key.org <http://server.key.org>*
>>>>> *openssl rsa -in server.key.org <http://server.key.org> -out
>>> server.key*
>>>>> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
>>>>> server.crt*
>>>>>
>>>>> i get server.crt and server.key.
>>>>>
>>>>> I added this entry,in connector
>>>>>
>>>>>
>>>>> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
>>>>> *SSLCertificateFile="/aa/server.crt"*
>>>>> *SSLCertificateKeyFile="/aa/server.key"*
>>>>>
>>>>> *If i do this much, it will work!!*
>>>>>
>>>>> *But the question is, is it possible to put these two certificate in
>>>>> keystore and can we add only that keystore in our connector ?*
>>>>> *something like, keystoreFile="/aa/tomcat.keystore"*
>>>>>
>>>>> *i tried this but didn't worked,*
>>>>>
>>>>> *
>>>>>
>>>
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>>>> <
>>>>>
>>>
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>>>>> *
>>>>>
>>>>> *please help me to understand these certificate stuffs. *
>>>>>
>>>>>
>>>>>
>>>>> *Thanks,*
>>>>> *Nithesh*
>>>>>
>>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>> 
>> Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
>> contiene información de carácter confidencial exclusivamente dirigida a su
>> destinatario o destinatarios. Si no es vd. el destinatario indicado, queda
>> notificado que la lectura, utilización, divulgación y/o copia sin
>> autorización está prohibida en virtud de la legislación vigente. En el caso
>> de haber recibido este correo electrónico por error, se ruega notificar
>> inmediatamente esta circunstancia mediante reenvío a la dirección
>> electrónica del remitente.
>> Evite imprimir este mensaje si no es estrictamente necesario.
>>
>> This email and any file attached to it (when applicable) contain(s)
>> confidential information that is exclusively addressed to its recipient(s).
>> If you are not the indicated recipient, you are informed that reading,
>> using, disseminating and/or copying it without authorisation is forbidden
>> in accordance with the legislation in effect. If you have received this
>> email by mistake, please immediately notify the sender of the situation by
>> resending it to their email address.
>> Avoid printing this message if it is not absolutely necessary.
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

[Nithesh Kb]

[image: Inline image 1]


Got this mail! ,
Does it means can we use keystore for APR protocol using this new TC-native
??



Thanks,
Nithesh

>
>
On Wed, Dec 16, 2015 at 1:09 PM, Garcia Aparici, Carlos <cgapar...@indra.es>
wrote:

> In many of our tomcats we use the pfx directly on the conector. Its
> similar to a keystore
>
>
> Enviado de Samsung Mobile
>
>
>
>  Mensaje original 
> De: Nithesh Kb <nitheshk...@gmail.com>
> Fecha: 15/12/2015 16:21 (GMT+01:00)
> Para: Tomcat Users List <users@tomcat.apache.org>
> Asunto: Re: Tomcat APR protocol SSL certificate information.
>
>
> *Thanks David,Thomas.*
> If my understanding is not wrong.
> Till tomcat version 8, we need to provide cert and key separately for
> openssl ssl APR, like
>
> *(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
> But tomcat 9 we can use keystore to store cert and key and configure it to
> connector like  *keystoreFile="/aa/tomcat.**keystore"*
>
> *Thanks,*
> *Nithesh*
>
> On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote:
>
> > On 15/12/2015 15:07, David Newman wrote:
> > > When you use APR the SSL implementation is coming from openssl instead
> of
> > > java.  openssl has no use for java keystore files.  So it becomes more
> > like
> > > an apache httpd config with separate files for keys and certificates.
> >
> > True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> > at some point) you can use Java keystores with OpenSSL.
> >
> > Mark
> >
> > >
> > > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <nitheshk...@gmail.com>
> > wrote:
> > >
> > >> HI,
> > >> I have build APR libraries Openssl and tc-native also i have created
> > >> openssl libraries. both HTTP and HTTPS is working fine.
> > >>
> > >> *openssl genrsa -des3 -out server.key 2048 *
> > >> *openssl req -new -key server.key -out server.csr*
> > >> *cp server.key server.key.org <http://server.key.org>*
> > >> *openssl rsa -in server.key.org <http://server.key.org> -out
> > server.key*
> > >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> > >> server.crt*
> > >>
> > >> i get server.crt and server.key.
> > >>
> > >> I added this entry,in connector
> > >>
> > >>
> > >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> > >> *SSLCertificateFile="/aa/server.crt"*
> > >> *SSLCertificateKeyFile="/aa/server.key"*
> > >>
> > >> *If i do this much, it will work!!*
> > >>
> > >> *But the question is, is it possible to put these two certificate in
> > >> keystore and can we add only that keystore in our connector ?*
> > >> *something like, keystoreFile="/aa/tomcat.keystore"*
> > >>
> > >> *i tried this but didn't worked,*
> > >>
> > >> *
> > >>
> >
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> > >> <
> > >>
> >
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> > >>> *
> > >>
> > >> *please help me to understand these certificate stuffs. *
> > >>
> > >>
> > >>
> > >> *Thanks,*
> > >> *Nithesh*
> > >>
> > >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> 
> Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
> contiene información de carácter confidencial exclusivamente dirigida a su
> destinatario o destinatarios. Si no es vd. el destinatario indicado, queda
> notificado que la lectura, utilización, divulgación y/o copia sin
> autorización está prohibida en virtud de la legislación vigente. En el caso
> de haber recibido este correo electrónico por error, se ruega notificar
> inmediatamente esta circunstancia mediante reenvío a la dirección
> electrónica del remitente.
> Evite imprimir este mensaje si no es estrictamente necesario.
>
> This email and any file attached to it (when applicable) contain(s)
> confidential information that is exclusively addressed to its recipient(s).
> If you are not the indicated recipient, you are informed that reading,
> using, disseminating and/or copying it without authorisation is forbidden
> in accordance with the legislation in effect. If you have received this
> email by mistake, please immediately notify the sender of the situation by
> resending it to their email address.
> Avoid printing this message if it is not absolutely necessary.
>

Tomcat APR protocol SSL certificate information.

[Nithesh Kb]

HI,
I have build APR libraries Openssl and tc-native also i have created
openssl libraries. both HTTP and HTTPS is working fine.

*openssl genrsa -des3 -out server.key 2048 *
*openssl req -new -key server.key -out server.csr*
*cp server.key server.key.org *
*openssl rsa -in server.key.org  -out server.key*
*openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt*

i get server.crt and server.key.

I added this entry,in connector


*protocol="org.apache.coyote.http11.Http11AprProtocol"*
*SSLCertificateFile="/aa/server.crt"*
*SSLCertificateKeyFile="/aa/server.key"*

*If i do this much, it will work!!*

*But the question is, is it possible to put these two certificate in
keystore and can we add only that keystore in our connector ?*
*something like, keystoreFile="/aa/tomcat.keystore"*

*i tried this but didn't worked,*

*http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
*

*please help me to understand these certificate stuffs. *



*Thanks,*
*Nithesh*

Re: Tomcat APR protocol SSL certificate information.

[David Newman]

When you use APR the SSL implementation is coming from openssl instead of
java.  openssl has no use for java keystore files.  So it becomes more like
an apache httpd config with separate files for keys and certificates.

On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb  wrote:

> HI,
> I have build APR libraries Openssl and tc-native also i have created
> openssl libraries. both HTTP and HTTPS is working fine.
>
> *openssl genrsa -des3 -out server.key 2048 *
> *openssl req -new -key server.key -out server.csr*
> *cp server.key server.key.org *
> *openssl rsa -in server.key.org  -out server.key*
> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt*
>
> i get server.crt and server.key.
>
> I added this entry,in connector
>
>
> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> *SSLCertificateFile="/aa/server.crt"*
> *SSLCertificateKeyFile="/aa/server.key"*
>
> *If i do this much, it will work!!*
>
> *But the question is, is it possible to put these two certificate in
> keystore and can we add only that keystore in our connector ?*
> *something like, keystoreFile="/aa/tomcat.keystore"*
>
> *i tried this but didn't worked,*
>
> *
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> <
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >*
>
> *please help me to understand these certificate stuffs. *
>
>
>
> *Thanks,*
> *Nithesh*
>

Re: Tomcat APR protocol SSL certificate information.

[Garcia Aparici, Carlos]

In many of our tomcats we use the pfx directly on the conector. Its similar to 
a keystore


Enviado de Samsung Mobile



 Mensaje original 
De: Nithesh Kb <nitheshk...@gmail.com>
Fecha: 15/12/2015 16:21 (GMT+01:00)
Para: Tomcat Users List <users@tomcat.apache.org>
Asunto: Re: Tomcat APR protocol SSL certificate information.


*Thanks David,Thomas.*
If my understanding is not wrong.
Till tomcat version 8, we need to provide cert and key separately for
openssl ssl APR, like
*(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
But tomcat 9 we can use keystore to store cert and key and configure it to
connector like  *keystoreFile="/aa/tomcat.**keystore"*

*Thanks,*
*Nithesh*

On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote:

> On 15/12/2015 15:07, David Newman wrote:
> > When you use APR the SSL implementation is coming from openssl instead of
> > java.  openssl has no use for java keystore files.  So it becomes more
> like
> > an apache httpd config with separate files for keys and certificates.
>
> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> at some point) you can use Java keystores with OpenSSL.
>
> Mark
>
> >
> > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <nitheshk...@gmail.com>
> wrote:
> >
> >> HI,
> >> I have build APR libraries Openssl and tc-native also i have created
> >> openssl libraries. both HTTP and HTTPS is working fine.
> >>
> >> *openssl genrsa -des3 -out server.key 2048 *
> >> *openssl req -new -key server.key -out server.csr*
> >> *cp server.key server.key.org <http://server.key.org>*
> >> *openssl rsa -in server.key.org <http://server.key.org> -out
> server.key*
> >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> >> server.crt*
> >>
> >> i get server.crt and server.key.
> >>
> >> I added this entry,in connector
> >>
> >>
> >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> >> *SSLCertificateFile="/aa/server.crt"*
> >> *SSLCertificateKeyFile="/aa/server.key"*
> >>
> >> *If i do this much, it will work!!*
> >>
> >> *But the question is, is it possible to put these two certificate in
> >> keystore and can we add only that keystore in our connector ?*
> >> *something like, keystoreFile="/aa/tomcat.keystore"*
> >>
> >> *i tried this but didn't worked,*
> >>
> >> *
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >> <
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >>> *
> >>
> >> *please help me to understand these certificate stuffs. *
> >>
> >>
> >>
> >> *Thanks,*
> >> *Nithesh*
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, 
contiene información de carácter confidencial exclusivamente dirigida a su 
destinatario o destinatarios. Si no es vd. el destinatario indicado, queda 
notificado que la lectura, utilización, divulgación y/o copia sin autorización 
está prohibida en virtud de la legislación vigente. En el caso de haber 
recibido este correo electrónico por error, se ruega notificar inmediatamente 
esta circunstancia mediante reenvío a la dirección electrónica del remitente.
Evite imprimir este mensaje si no es estrictamente necesario.

This email and any file attached to it (when applicable) contain(s) 
confidential information that is exclusively addressed to its recipient(s). If 
you are not the indicated recipient, you are informed that reading, using, 
disseminating and/or copying it without authorisation is forbidden in 
accordance with the legislation in effect. If you have received this email by 
mistake, please immediately notify the sender of the situation by resending it 
to their email address.
Avoid printing this message if it is not absolutely necessary.

Re: Tomcat APR protocol SSL certificate information.

[Mark Thomas]

On 15/12/2015 15:07, David Newman wrote:
> When you use APR the SSL implementation is coming from openssl instead of
> java.  openssl has no use for java keystore files.  So it becomes more like
> an apache httpd config with separate files for keys and certificates.

True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
at some point) you can use Java keystores with OpenSSL.

Mark

> 
> On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb  wrote:
> 
>> HI,
>> I have build APR libraries Openssl and tc-native also i have created
>> openssl libraries. both HTTP and HTTPS is working fine.
>>
>> *openssl genrsa -des3 -out server.key 2048 *
>> *openssl req -new -key server.key -out server.csr*
>> *cp server.key server.key.org *
>> *openssl rsa -in server.key.org  -out server.key*
>> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
>> server.crt*
>>
>> i get server.crt and server.key.
>>
>> I added this entry,in connector
>>
>>
>> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
>> *SSLCertificateFile="/aa/server.crt"*
>> *SSLCertificateKeyFile="/aa/server.key"*
>>
>> *If i do this much, it will work!!*
>>
>> *But the question is, is it possible to put these two certificate in
>> keystore and can we add only that keystore in our connector ?*
>> *something like, keystoreFile="/aa/tomcat.keystore"*
>>
>> *i tried this but didn't worked,*
>>
>> *
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>> <
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>> *
>>
>> *please help me to understand these certificate stuffs. *
>>
>>
>>
>> *Thanks,*
>> *Nithesh*
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

[Nithesh Kb]

*Thanks David,Thomas.*
If my understanding is not wrong.
Till tomcat version 8, we need to provide cert and key separately for
openssl ssl APR, like
*(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
But tomcat 9 we can use keystore to store cert and key and configure it to
connector like  *keystoreFile="/aa/tomcat.**keystore"*

*Thanks,*
*Nithesh*

On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas  wrote:

> On 15/12/2015 15:07, David Newman wrote:
> > When you use APR the SSL implementation is coming from openssl instead of
> > java.  openssl has no use for java keystore files.  So it becomes more
> like
> > an apache httpd config with separate files for keys and certificates.
>
> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> at some point) you can use Java keystores with OpenSSL.
>
> Mark
>
> >
> > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb 
> wrote:
> >
> >> HI,
> >> I have build APR libraries Openssl and tc-native also i have created
> >> openssl libraries. both HTTP and HTTPS is working fine.
> >>
> >> *openssl genrsa -des3 -out server.key 2048 *
> >> *openssl req -new -key server.key -out server.csr*
> >> *cp server.key server.key.org *
> >> *openssl rsa -in server.key.org  -out
> server.key*
> >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> >> server.crt*
> >>
> >> i get server.crt and server.key.
> >>
> >> I added this entry,in connector
> >>
> >>
> >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> >> *SSLCertificateFile="/aa/server.crt"*
> >> *SSLCertificateKeyFile="/aa/server.key"*
> >>
> >> *If i do this much, it will work!!*
> >>
> >> *But the question is, is it possible to put these two certificate in
> >> keystore and can we add only that keystore in our connector ?*
> >> *something like, keystoreFile="/aa/tomcat.keystore"*
> >>
> >> *i tried this but didn't worked,*
> >>
> >> *
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >> <
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >>> *
> >>
> >> *please help me to understand these certificate stuffs. *
> >>
> >>
> >>
> >> *Thanks,*
> >> *Nithesh*
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: How to Upgrade Java JDK 7 to JDK8 with Keystore SSL Certificate in Tomcat 7

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ignacio,

On 9/10/15 6:01 PM, Ignacio Barragan wrote:
> I have Tomcat 7.0.42 on a Windows 2008R2 server.  I’m pretty new to
> Tomcat.
> 
> It uses Java JDK and is configured with a standard JSSE SSL
> certificate. How do I upgrade Java on an existing Tomcat server?
> All the documentation is for configuring new installations.

Generally, Tomcat doesn't care about the JVM installed -- it will use
whatever is there. But it may depend upon how you launch Tomcat. If
you are using a Windows Service to launch Tomcat, you'll need to point
the service at the new JVM.

> I can repeat the whole installation routine and install JDK in a
> new directory and go through the whole thing….create keystore,
> request new certificate etc. but that then I would have two
> certificates for the same machine?

You shouldn't need to do any of that at all. Java keystores are
compatible across all versions of Java, and Tomcat already knows where
the keystore is (right?). That Java keystore should be independent of
the JVM installation.

Can you post your  from server.xml, just to be sure?
Remember to remove any sensitive information like passwords, etc.

> Keytool has an export command, is that what this is for?  If anyone
> has experience in this and can guide me on the best pseudo code
> method to upgrade Java using keystore SSL on an existing Tomcat 7
> server, that would be great.
> 
> The same issue goes for upgrading from Tomcat 7.0.42 to Tomcat
> 7.0.64.   Do I do  a complete de-install and re-install of the new
> Tomcat version and repeat all the configurations or can you upgrade
> Tomcat in place from the same series version to another one?

I would highly recommend installing to a new directory. This will make
it much easier to "downgrade" if you need to for some reason.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJV9yKSAAoJEBzwKT+lPKRY7MIP/RvIFR+0333RvnKtHVoMjFzV
qlfhWnSnZbMtgJ5+hsIzC7tgXQzTuwjfHTt7uV7OuJdaoIrXQ4QMY/jPcI1Rjynm
0SHvaD6rQ2ERdLdiox935W82cUwEojGLPsGNeuRVJOPkaAksMWpmOPqSLzYpz/ts
7y8eram+WBgQOJsQxrrfA1Rl5wHOSyEKrzN3AugCkidiFOAkU0JbsramMIUWOqyz
/1O3IuaMbC4bBZQHbCnA99IMUi3BNzmQlkelmaY+4tgHtxJz3Jxku+OqTcwczrwL
OaUFmntbNT4OXnAbwAWnV9tu+XmJPzms/a0jtLA23pMRcRUsB6HLkXbovalCNjrO
GiOg4MNbwK/kD6+2blRpHa8jlBaI8Y8BIgYfESL3ls5WlYw4/yqINcJ2zrGv8+jp
/0l6ypDPDZ3MNTEtXmpE/Phu3UWsCFi+USRwfMgN2X1R+MGTTlkaWZSEr9YnYBtD
tAhAQqN3BP1u8S7jAvBPDyu2F/fHomWXbwsXzxQhZK3xnKU1c/1S41I/Ddd0UDOC
SniBFG1PWNQc4AWoRU68z7kAa/HfROHsnFAXKfj52wwXdm6oyOljVDyHNDhGmijB
XoTZlr9yGMKl36CBPv8Wg0Jql8RtdJLdXrg/vRQD9u3T0Z7lkkbGuyboyipr+gss
c+mAhUaAN7DxBln4CLH+
=Qp0u
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to Upgrade Java JDK 7 to JDK8 with Keystore SSL Certificate in Tomcat 7

[Ignacio Barragan]

I have Tomcat 7.0.42 on a Windows 2008R2 server.  I’m pretty new to Tomcat.



It uses Java JDK and is configured with a standard JSSE SSL certificate.
How do I upgrade Java on an existing Tomcat server?  All the documentation
is for configuring new installations.



I can repeat the whole installation routine and install JDK in a new
directory and go through the whole thing….create keystore, request new
certificate etc. but that then I would have two certificates for the same
machine?



Keytool has an export command, is that what this is for?  If anyone has
experience in this and can guide me on the best pseudo code method to
upgrade Java using keystore SSL on an existing Tomcat 7 server, that would
be great.





The same issue goes for upgrading from Tomcat 7.0.42 to Tomcat 7.0.64.   Do
I do  a complete de-install and re-install of the new Tomcat version and
repeat all the configurations or can you upgrade Tomcat in place from the
same series version to another one?



Thank you.





Ignacio Barragan

SDSU Research Foundation

Computing Services

(619) 594-3290

FW: Issue in reading SSL certificate

[Hirnya Kaushal]

Dear,

 

I am facing a very peculiar issue with the SSL certificate for Tomcat7. I am
using Java 7 and Tomcat 1.7.075. and facing the below issue with the SSL
certificate. I have followed the below steps to generate the certificate and
apply same on server.xml.

 

Generated the CSR file by using the keytool on the server.

1)  $JAVA_HOME/bin/keytool  -genkey -alias server -keyalg RSA -keysize
2048 -keystore /opt/hirnya/mobileweyakae.jks

2)  $JAVA_HOME/bin/keytool -certreq -alias server -file
/opt/hirnya/csr.txt -keystore /opt/hirnya/mobileweyakae.jks

Shared my case file with CA provider and received back chain.p7b file. And
followed the below step to import the key tool (I tried 2 ways to apply the
same but the end results and the error on the tomcat logs are almost same.)

1.  Double click .p7b file on windows
2.  Expand the node certificates from the left side.
3.  On the right side the list of certificate occurred.
4.  Double click the required certificate to open it.
5.  Click the details tab.
6.  Click the "copy to file..." button
7.  click next
8.  select the 2nd format (Base-64 encoded X.509 (.CER))
9.  Enter the file name (As original file name). Please make sure the
file location (Directory)
10. Read the export wizard setting and then Press "Finish" button.
11. Repeat the same steps for all 3 certificates.

Then, transferred the all certificate on same path where I have generated
the csr file and imported the file with 2 different way. 

 

Steps of Process one applied:

Imported the files received from CA with below command and applied with all
files received from CA.

$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file
/opt/hirnya/root.cer -keystore /opt/hirnya/mobileweyakae.jks

$JAVA_HOME/bin/keytool -import -trustcacerts -alias abc -file
/opt/hirnya/server.cer -keystore /opt/hirnya/mobileweyakae.jks

$JAVA_HOME/bin/keytool -import -trustcacerts -alias mobile -file
/opt/hirnya/mobile.cer -keystore /opt/hirnya/mobileweyakae.jks

 

Attached is the view of certificate generated (crtifacate-process1.txt) and
the tomcat logs ()tomcatand below is the configuration for SSL on tomcat.

 



 

 

Steps of Process Two applied:

 

Exported the keystore to the pem file.

 

1)  $JAVA_HOME/bin/keytool -exportcert -rfc -file /opt/hirnya/server.pem
-keystore /opt/hirnya/mobileweyakae.jks -alias server

2)  Open the pem file with cat and added the other certificates received
from CA into the same file and generated the bundle.pem file, attached is
the file for reference. (this includes all the certificates)

3)  Then imported the certificates to the keytool with below command

$JAVA_HOME/bin/keytool -importcert -keystore /opt/hirnya/mobileweyakae.jks
-alias server -file /opt/hirnya/bundle.pem.
 
 
The certificate generated output is attached as certificate-process2.txt for
reference and the logs of the tomcat as well.

 

 

In both the case I am able to reach the https:// but receiving the security
error and only reading the self-generated key and not able to read the
imported key.

 

Attaching the generated key files(mobileweyakae.jks) and certificate
(hirnya.zip) as well for your reference.

 

Thanks in advance for your support.

 

 

Thanks & Regards,

Hirnya Garbh Kaushal,

MobiSoft Telesolutions(Altruist Group)

Mobile(Dubai,UAE): +971 564745875

Office(Dubai,UAE): +971 43261893

mobisoft

 


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: root
Creation date: Sep 6, 2015
Entry type: trustedCertEntry

Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 2b9
Valid from: Fri May 12 22:46:00 GST 2000 until: Tue May 13 03:59:00 GST 2025
Certificate fingerprints:
 MD5:  AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
 SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
 SHA256: 
16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
 Signature algorithm name: SHA1withRSA
 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:3
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: E5 9D 59 30 82 47 58 CC   AC FA 08 54 36 86 7B 3A  ..Y0.GXT6..:
0010: B5 04 4D F0..M.
]
]



***
***


Alias name: mobile
Creation date: Sep 6, 2015
Entry type: trustedCertEntry

Owner: CN=mobile.weyak.ae, OU=Marketing, O=Etisalat, L=Abu Dhabi, ST=Abu Dhabi, 
C=AE
Issuer: CN=Cybertrust Public SureServer SV CA, O=Cybertrust Inc
Serial number: 1014ede39d478814690
Valid from: Thu Jul 30 13:1

Re: FW: Issue in reading SSL certificate

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Hirnya,

On 9/9/15 9:49 AM, Hirnya Kaushal wrote:
> I am facing a very peculiar issue with the SSL certificate for
> Tomcat7. I am using Java 7 and Tomcat 1.7.075. and facing the below
> issue with the SSL certificate. I have followed the below steps to
> generate the certificate and apply same on server.xml.
> 
> Generated the CSR file by using the keytool on the server.
> 
> 1)  *$JAVA_HOME/bin/keytool ** -genkey -alias server -keyalg
> RSA -keysize 2048 -keystore /opt/hirnya/mobileweyakae.jks*
> 
> 2)  *$JAVA_HOME/bin/**keytool -certreq -alias server -file 
> /opt/hirnya/csr.txt -keystore /opt/hirnya/mobileweyakae.jks*

Good so far.

> Shared my case file with CA provider and received back chain.p7b
> file. And followed the below step to import the key tool (I tried 2
> ways to apply the same but the end results and the error on the
> tomcat logs are almost same.)
> 
> 1. Double click .p7b file on windows 2. Expand the node
> certificates from the left side. 3. On the right side the list of
> certificate occurred. 4. Double click the required certificate to
> open it. 5. Click the details tab. 6. Click the "copy to file...”
> button 7. click next 8. select the 2nd format (Base-64 encoded
> X.509 (.CER)) 9. Enter the file name (As original file name).
> Please make sure the file location (Directory) 10. Read the export
> wizard setting and then Press "Finish" button. 11. Repeat the same
> steps for all 3 certificates.
> 
> Then, transferred the all certificate on same path where I have 
> generated the csr file and imported the file with 2 different way.
> 
> 
> 
> Steps of Process one applied:
> 
> Imported the files received from CA with below command and applied
> with all files received from CA.
> 
> *$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file 
> /opt/hirnya/root.cer -keystore /opt/hirnya/mobileweyakae.jks*

You might want to call this "Cybertrust root" or something like that,
in case you want to use more than one CA's root. It also helps
document what *you* think the certificate is.

> *$JAVA_HOME/bin/keytool -import -trustcacerts -alias abc -file 
> /opt/hirnya/server.cer -keystore /opt/hirnya/mobileweyakae.jks*

An alias like "Cybertrust intermediate" might have been a better name.

> *$JAVA_HOME/bin/keytool -import -trustcacerts -alias mobile -file 
> /opt/hirnya/mobile.cer -keystore /opt/hirnya/mobileweyakae.jks*

I see that you haven't imported any certificates with the alias
"server". When you import the signed certificate from the CA, you
should probably update the "server" cert instead of importing it under
a different alias. This may not be the problem, but it's the way I've
always done it.

> *Attached is the view of certificate generated
> (crtifacate-process1.txt) and the tomcat logs ()tomcatand below is
> the configuration for SSL on tomcat.*

Looks okay to me. There are 4 certs:

1. root   (Cybertrust's root cert)
2. mobile (your signed server certificate)
3. abc(Cybertrust's intermediate certificate)
4. server (the private key for the cert you want to create)

> * protocol="org.apache.coyote.http11.Http11Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"  useURIValidationHack="false" 
> keystoreFile="/opt/hirnya/mobileweyakae.jks"
> keystorePass="changeit" />*

You haven't specified an "alias" for the connector, so it uses the
first one in the keystore which is probably "root". That's not what
you want.

> Steps of Process Two applied:
> 
> Exported the keystore to the pem file.
> 
> 
> 
> *1)  **$JAVA_HOME/bin/*keytool -exportcert -rfc -file 
> /opt/hirnya/server.pem -keystore /opt/hirnya/mobileweyakae.jks
> -alias server
> 
> *2)  **Open the pem file with cat and added the other
> certificates received from CA into the same file and generated the
> bundle.pem file, attached is the file for reference. (this includes
> all the certificates)*
> 
> *3)  **Then imported the certificates to the keytool with below
> command*
> 
> *$JAVA_HOME/bin*/keytool -importcert -keystore 
> /opt/hirnya/mobileweyakae.jks -alias server -file
> /opt/hirnya/bundle.pem.
> 
> 
> 
> 
> 
> The certificate generated output is attached as
> certificate-process2.txt for reference and the logs of the tomcat
> as well.
> 
> * *
> 
> * *
> 
> In both the case I am able to reach the https:// but receiving the 
> security error and only reading the self-generated key and not able
> to read the imported key.

What is sho

Issue in reading SSL certificate

[Hirnya Kaushal]

Dear,

 

I am facing a very peculiar issue with the SSL certificate for Tomcat7. I am
using Java 7 and Tomcat 1.7.075. and facing the below issue with the SSL
certificate. I have followed the below steps to generate the certificate and
apply same on server.xml.

 

Generated the CSR file by using the keytool on the server.

1)  $JAVA_HOME/bin/keytool  -genkey -alias server -keyalg RSA -keysize
2048 -keystore /opt/hirnya/mobileweyakae.jks

2)  $JAVA_HOME/bin/keytool -certreq -alias server -file
/opt/hirnya/csr.txt -keystore /opt/hirnya/mobileweyakae.jks

Shared my case file with CA provider and received back chain.p7b file. And
followed the below step to import the key tool (I tried 2 ways to apply the
same but the end results and the error on the tomcat logs are almost same.)

1.  Double click .p7b file on windows
2.  Expand the node certificates from the left side.
3.  On the right side the list of certificate occurred.
4.  Double click the required certificate to open it.
5.  Click the details tab.
6.  Click the "copy to file..." button
7.  click next
8.  select the 2nd format (Base-64 encoded X.509 (.CER))
9.  Enter the file name (As original file name). Please make sure the
file location (Directory)
10. Read the export wizard setting and then Press "Finish" button.
11. Repeat the same steps for all 3 certificates.

Then, transferred the all certificate on same path where I have generated
the csr file and imported the file with 2 different way. 

 

Steps of Process one applied:

Imported the files received from CA with below command and applied with all
files received from CA.

$JAVA_HOME/bin/keytool -import -trustcacerts -alias root -file
/opt/hirnya/root.cer -keystore /opt/hirnya/mobileweyakae.jks

$JAVA_HOME/bin/keytool -import -trustcacerts -alias abc -file
/opt/hirnya/server.cer -keystore /opt/hirnya/mobileweyakae.jks

$JAVA_HOME/bin/keytool -import -trustcacerts -alias mobile -file
/opt/hirnya/mobile.cer -keystore /opt/hirnya/mobileweyakae.jks

 

Attached is the view of certificate generated (crtifacate-process1.txt) and
the tomcat logs ()tomcatand below is the configuration for SSL on tomcat.

 



 

 

Steps of Process Two applied:

 

Exported the keystore to the pem file.

 

1)  $JAVA_HOME/bin/keytool -exportcert -rfc -file /opt/hirnya/server.pem
-keystore /opt/hirnya/mobileweyakae.jks -alias server

2)  Open the pem file with cat and added the other certificates received
from CA into the same file and generated the bundle.pem file, attached is
the file for reference. (this includes all the certificates)

3)  Then imported the certificates to the keytool with below command

$JAVA_HOME/bin/keytool -importcert -keystore /opt/hirnya/mobileweyakae.jks
-alias server -file /opt/hirnya/bundle.pem.
 
 
The certificate generated output is attached as certificate-process2.txt for
reference and the logs of the tomcat as well.

 

 

In both the case I am able to reach the https:// but receiving the security
error and only reading the self-generated key and not able to read the
imported key.

 

Attaching the generated key files(mobileweyakae.jks) and certificate
(hirnya.zip) as well for your reference.

 

Thanks in advance for your support.

 

 

Thanks & Regards,

Hirnya Garbh Kaushal,

MobiSoft Telesolutions(Altruist Group)

Mobile(Dubai,UAE): +971 564745875

Office(Dubai,UAE): +971 43261893

mobisoft

 


Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: root
Creation date: Sep 6, 2015
Entry type: trustedCertEntry

Owner: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Issuer: CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IE
Serial number: 2b9
Valid from: Fri May 12 22:46:00 GST 2000 until: Tue May 13 03:59:00 GST 2025
Certificate fingerprints:
 MD5:  AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
 SHA1: D4:DE:20:D0:5E:66:FC:53:FE:1A:50:88:2C:78:DB:28:52:CA:E4:74
 SHA256: 
16:AF:57:A9:F6:76:B0:AB:12:60:95:AA:5E:BA:DE:F2:2A:B3:11:19:D6:44:AC:95:CD:4B:93:DB:F3:F2:6A:EB
 Signature algorithm name: SHA1withRSA
 Version: 3

Extensions: 

#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:3
]

#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
: E5 9D 59 30 82 47 58 CC   AC FA 08 54 36 86 7B 3A  ..Y0.GXT6..:
0010: B5 04 4D F0..M.
]
]



***
***


Alias name: mobile
Creation date: Sep 6, 2015
Entry type: trustedCertEntry

Owner: CN=mobile.weyak.ae, OU=Marketing, O=Etisalat, L=Abu Dhabi, ST=Abu Dhabi, 
C=AE
Issuer: CN=Cybertrust Public SureServer SV CA, O=Cybertrust Inc
Serial number: 1014ede39d478814690
Valid from: Thu Jul 30 13:1

failing final step to update ssl certificate for tomcat6

[Dan Hyatt]

I am trying to update my SSL certificate in tomcat.  The webserver keeps 
sending the old expired certificate
I am taking over from long gone admins with no config notes, but this 
should be straightforward.
The certificate authority support suggests there might be another 
configuration..but this is the only server.xml for the app


The best answer from the cert authority is that there is another 
keystore but the xml file points to  where my keystore is.


It passes all the tests except for the cert authorities final test.

I installed and verified the keystore
I restarted tomcat6
I believe the XML file says the keystore is 
keystoreFile=/opt/atlassian/confluence/conf/.keystore/  (see below)

Even though I changed the password, it is still reading the old key.

I am wondering if there is a stale certificate in memory. I cannot think 
of anything else.  If that be the case can I clear that without a reboot?



root@dvm7:/opt/atlassian/confluence/conf#server.xml

Connector address=127.0.0.1 port=8443 maxHttpHeaderSize=8192
   maxThreads=150 minSpareThreads=25 
maxSpareThreads=75

   enableLookups=false disableUploadTimeout=true
   acceptCount=100 scheme=https secure=true
   clientAuth=false sslProtocol=TLS SSLEnabled=true
   URIEncoding=UTF-8 keystorePass=dsgroot
keystoreFile=/opt/atlassian/confluence/conf/.keystore/

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: failing final step to update ssl certificate for tomcat6

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Dan,

On 6/12/15 8:37 AM, Dan Hyatt wrote:
 I am trying to update my SSL certificate in tomcat.  The webserver
 keeps sending the old expired certificate I am taking over from
 long gone admins with no config notes, but this should be
 straightforward. The certificate authority support suggests there
 might be another configuration..but this is the only server.xml for
 the app
 
 The best answer from the cert authority is that there is another 
 keystore but the xml file points to  where my keystore is.
 
 It passes all the tests except for the cert authorities final
 test.
 
 I installed and verified the keystore I restarted tomcat6 I believe
 the XML file says the keystore is 
 keystoreFile=/opt/atlassian/confluence/conf/.keystore/  (see
 below) Even though I changed the password, it is still reading the
 old key.
 
 I am wondering if there is a stale certificate in memory. I cannot
 think of anything else.  If that be the case can I clear that
 without a reboot?

Assuming that you have restarted Tomcat successfully, a reboot should
not be necessary. You did restart Tomcat, right?

 root@dvm7:/opt/atlassian/confluence/conf#server.xml

Is that # symbol in the path a typo?

 Connector address=127.0.0.1 port=8443
 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 
 maxSpareThreads=75 enableLookups=false
 disableUploadTimeout=true acceptCount=100 scheme=https
 secure=true clientAuth=false sslProtocol=TLS
 SSLEnabled=true URIEncoding=UTF-8 keystorePass=dsgroot 
 keystoreFile=/opt/atlassian/confluence/conf/.keystore/

Does your keystore not have a password? Not that it really matters,
but keystores typically have passwords.

What does this command show:

$ keytool -list -keystore /opt/atlassian/confluence/conf/.keystore

You might want to consider running your server against ssllabs's SSL
test and then modifying your cipher suites configuration. There are a
number of cipher suites that have been deemed problematic lately that
you'll want to disable. Unfortunately, since you are using a
JSSE-based TLS implementation (that Java one), you have to white-list
your ciphers and list them all, rather than black-listing the known
bad ones.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVev+ZAAoJEBzwKT+lPKRYjB8QALJEM2gm6TpCObMo+3HaxvoQ
p1v5wPjeciXNS9cWF3c4cXOwZiR9NDwI643qQ9dYT0ElfNztRDPXoCp/AeVJg1T/
WZe/6TGuGJiLBphHX6VKRyM1V9RMyJDLWJZm7Qljq/VDHWOMmi0la9oY+moXBwmG
tasBwsbdBfJ5Fy58DphPKHrEwAPP0C3yxbXDkz0H6PU36Pyx7I3ehwsty0KDrlRB
A+nscl8/AGiVuN7Kx2aCc3mgJzamQs8L/dEM82SdRUTI+N9DqBZ4+L4WAjREmz74
NmV8rj/GAfrXwU5BDcY7bXnBBWY8+2PQ4LBCm8ZO5PPavbkSwR1yOIIREJRoPkuw
xo0e17/wqUSa4DvGQTs5mFZoSKj8JQeNsatc8yHhkovFzlw60Xg497Aayl2CXaXG
HAozhJTStUDjaOw0kpGmT/jH5afAt0C/KcIyjaZa5Zsm8K5K6ngLgvNsXB9YtsDX
XsVPim2gpM+PMG1lfAOL9ag8odt1U8iNlaLrELGqvkE5fsIDYImjvHenKvsaiIoo
eMSr4SvGWEZEHueGv0XmncPBq0t8TEFGORLoqfSzhxyRMniM+r/p12aA5qkhuPyr
cnNcnJfTry4yuBDCjARfoUHR0X3UX5xyGEdae2p6sRtumRolEIdAAxdsZs+gez0X
9eedkrRlGbdx4kErxfQI
=bEj5
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: I want to redirect the https traffic of apache to tomcat. Such that we can configure SSL certificate on each tomcat instance.

[André Warnier]

venkateswara Rao Akkireddy wrote:

Hi All

Hope every one is doing good!



Aim: I want to redirect the https traffic  of apache to tomcat. Such that
we can configure SSL certificate on each tomcat instance.



Please Help me on this ASAP


This is the kind of thing that you should probably avoid, on a help list that is staffed 
by volunteers.






*1)  **Configuration in  /etc/httpd/conf/httpd.conf*



Listen 174.132.121.115:80 http://174.132.121.115/
Listen 174.132.121.115:443



JkWorkersFile conf/workers.properties

JkLogFile logs/mod_jk.log

JkShmFile /var/log/httpd/mod_jk.shm

JkWatchdogInterval 30

JkLogLevel info

JkLogLevel debug

JkExtractSSL On

JkHTTPSIndicator HTTPS



VirtualHost 174.132.121.115:80 http://174.132.121.115/

ServerAdmin ramara...@mmgs.com

ServerName 174.132.121.115

JkMount / loadbalancer

JkMount /* loadbalancer

JkMount /status jkstatus

/VirtualHost



VirtualHost 174.132.121.115:443

ServerName 174.132.121.115

JkMount / loadbalancerssl

JkMount /* loadbalancerssl

SetEnv JkHTTPSIndicator On

JkMount /status jkstatus

JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

/VirtualHost



*2)  **Configuration in /etc/httpd/conf/workers.properties*



worker.list=loadbalancer,jkstatus,loadbalancerssl



#Configuration to Show Status of Load balancer

worker.jkstatus.type=status



#Trippro BE Load Balancer Nodes



worker.tpbe1.type=ajp13

worker.tpbe1.host=174.132.121.115

worker.tpbe1.port=8023

worker.tpbe1.lbfactor=1

worker.tpbe1.socket_timeout=210



worker.tpbe2.type=ajp13

worker.tpbe2.host=174.132.121.115

worker.tpbe2.port=8028

worker.tpbe2.lbfactor=1

worker.tpbe2.socket_timeout=210



worker.tpbe1ssl.type=ajp13

worker.tpbe1ssl.host=174.132.121.115

worker.tpbe1ssl.port=8022

worker.tpbe1ssl.lbfactor=1

worker.tpbe1ssl.socket_timeout=210



worker.tpbe2ssl.type=ajp13

worker.tpbe2ssl.host=174.132.121.115

worker.tpbe2ssl.port=8027

worker.tpbe2ssl.lbfactor=1

worker.tpbe2ssl.socket_timeout=210



3)  Tomcat Configuration



a)  TBE1 Tomcat Instance Server.xml config



!-- Define an AJP 1.3 Connector on port 8023  for http traffic--

Connector port=8023 address=174.132.121.115 protocol=AJP/1.3
redirectPort=8022 /



!-- Define an AJP 1.3 Connector on port 8024  for https traffic--

Connector port=8022

protocol=AJP/1.3 maxThreads=500

scheme=https secure=true SSLEnabled=true

connectionTimeout=6

proxyPort=443

keystoreFile=/opt/certificates/star-trippro/trippro.keystore
keystorePass=Tr!pPro

   clientAuth=false sslProtocol=TLS/



Engine name=Catalina defaultHost=TPBE1 jvmRoute=tpbe1



b)  TBE2 Tomcat Instance Server.xml config



!-- Define an AJP 1.3 Connector on port 8028 for http traffic--

Connector port=8028 address=174.132.121.115 protocol=AJP/1.3
redirectPort=8027 /



!-- Define an AJP 1.3 Connector on port 8024  for https traffic--

Connector port=8027 address=174.132.121.115

protocol=AJP/1.3 maxThreads=500

scheme=https secure=true SSLEnabled=true

connectionTimeout=6

proxyPort=443

keystoreFile=/opt/certificates/star-trippro/trippro.keystore
keystorePass=Tr!pPro

   clientAuth=false sslProtocol=TLS/



Engine name=Catalina defaultHost=TPBE2 jvmRoute=tpbe2


One thing that you should know : the AJP protocol does not support SSL/HTTPS.
In other words, the communication between mod_jk and Tomcat is not encrypted. It is NOT 
SSL or HTTPS, it is AJP, and there is no AJPS.
What AJP /can/ do, is to transport some information from httpd to Tomcat, about the 
original browser-to-httpd HTTPS communication. That is the point of the Jk HTTPS and 
SSL options, but nothing else.


Graphically :

(browser) -- HTTPS -- (httpd + mod_jk) -- AJP -- (Tomcat + AJP Connector)
   (1)   (2)

(1) can be encrypted
(2) cannot be encrypted (*), but can transport HTTPS headers information from 
(1)

(*) except if you set up some kind of SSL tunnel there, but that would be outside of 
httpd and Tomcat.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

I want to redirect the https traffic of apache to tomcat. Such that we can configure SSL certificate on each tomcat instance.

[venkateswara Rao Akkireddy]

Hi All

Hope every one is doing good!



Aim: I want to redirect the https traffic  of apache to tomcat. Such that
we can configure SSL certificate on each tomcat instance.



Please Help me on this ASAP



*1)  **Configuration in  /etc/httpd/conf/httpd.conf*



Listen 174.132.121.115:80 http://174.132.121.115/
Listen 174.132.121.115:443



JkWorkersFile conf/workers.properties

JkLogFile logs/mod_jk.log

JkShmFile /var/log/httpd/mod_jk.shm

JkWatchdogInterval 30

JkLogLevel info

JkLogLevel debug

JkExtractSSL On

JkHTTPSIndicator HTTPS



VirtualHost 174.132.121.115:80 http://174.132.121.115/

ServerAdmin ramara...@mmgs.com

ServerName 174.132.121.115

JkMount / loadbalancer

JkMount /* loadbalancer

JkMount /status jkstatus

/VirtualHost



VirtualHost 174.132.121.115:443

ServerName 174.132.121.115

JkMount / loadbalancerssl

JkMount /* loadbalancerssl

SetEnv JkHTTPSIndicator On

JkMount /status jkstatus

JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories

/VirtualHost



*2)  **Configuration in /etc/httpd/conf/workers.properties*



worker.list=loadbalancer,jkstatus,loadbalancerssl



#Configuration to Show Status of Load balancer

worker.jkstatus.type=status



#Trippro BE Load Balancer Nodes



worker.tpbe1.type=ajp13

worker.tpbe1.host=174.132.121.115

worker.tpbe1.port=8023

worker.tpbe1.lbfactor=1

worker.tpbe1.socket_timeout=210



worker.tpbe2.type=ajp13

worker.tpbe2.host=174.132.121.115

worker.tpbe2.port=8028

worker.tpbe2.lbfactor=1

worker.tpbe2.socket_timeout=210



worker.tpbe1ssl.type=ajp13

worker.tpbe1ssl.host=174.132.121.115

worker.tpbe1ssl.port=8022

worker.tpbe1ssl.lbfactor=1

worker.tpbe1ssl.socket_timeout=210



worker.tpbe2ssl.type=ajp13

worker.tpbe2ssl.host=174.132.121.115

worker.tpbe2ssl.port=8027

worker.tpbe2ssl.lbfactor=1

worker.tpbe2ssl.socket_timeout=210



3)  Tomcat Configuration



a)  TBE1 Tomcat Instance Server.xml config



!-- Define an AJP 1.3 Connector on port 8023  for http traffic--

Connector port=8023 address=174.132.121.115 protocol=AJP/1.3
redirectPort=8022 /



!-- Define an AJP 1.3 Connector on port 8024  for https traffic--

Connector port=8022

protocol=AJP/1.3 maxThreads=500

scheme=https secure=true SSLEnabled=true

connectionTimeout=6

proxyPort=443

keystoreFile=/opt/certificates/star-trippro/trippro.keystore
keystorePass=Tr!pPro

   clientAuth=false sslProtocol=TLS/



Engine name=Catalina defaultHost=TPBE1 jvmRoute=tpbe1



b)  TBE2 Tomcat Instance Server.xml config



!-- Define an AJP 1.3 Connector on port 8028 for http traffic--

Connector port=8028 address=174.132.121.115 protocol=AJP/1.3
redirectPort=8027 /



!-- Define an AJP 1.3 Connector on port 8024  for https traffic--

Connector port=8027 address=174.132.121.115

protocol=AJP/1.3 maxThreads=500

scheme=https secure=true SSLEnabled=true

connectionTimeout=6

proxyPort=443

keystoreFile=/opt/certificates/star-trippro/trippro.keystore
keystorePass=Tr!pPro

   clientAuth=false sslProtocol=TLS/



Engine name=Catalina defaultHost=TPBE2 jvmRoute=tpbe2
-- 
Best Regards
A.Venkateswara Rao
9246665067
Qualcomm INDIA PVT. LTD http://www.qualcomm.co.in/
Hyderabad

Re: SSL Certificate Help

[Brian Burch]

On 07/11/12 21:13, Alissa Schneider wrote:

Hi - I'm a novice Tomcat user. I've only used the tool to support 
BusinessObjects. I recently was asked to set up SSL for the first time.

Initially I created my own self-signed certificate and was able to get 
everything working fine, although I would get the 'certificate warning' error 
message when going to https://localhost:8443, but this was expected. Then my IT 
admin gave me a CA-signed certificate to use instead so we wouldn't get that 
warning.

The problem I am having, is that Tomcat still seems to be reading my old 
self-signed certificate instead of being pointed to the CA-signed certificate.

Here are my environment specifics:

* Windows 2008 R2 64-bit

* Tomcat 6.0.24

* IE 8

Here are the steps I have taken thus far:

* I deleted my original keystore that held my self-signed certificate.

* I deleted the self-signed certificate.

* I recreated the keystore.


Which will have generate a NEW public/private key pair.


* I imported the CA-signed certificate.


But when did you generate the certificate request for this certificate. 
Does it contain the SAME public key as in your new keystore?


* I have an index.txt file that I deleted all the contents from so it 
is empty.

* The server.xml file reflects the current keystore/pw information and 
the SSL lines have been uncommented.

Still, when I visit https://localhost:8443, the browser throws a certificate warning. 
When I click on the certificate warning and view certificate, it displays information on 
my self-signed certificate (that I've deleted). I think if I could figure out how to make 
Tomcat point to the CA certificate instead of the old one, this would work for me. 
However, I'm not sure how to clear the Tomcat cache so to speak.

I appreciate any help!




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificate Help

[Ognjen Blagojevic]

Alissa,

On 7.11.2012 22:13, Alissa Schneider wrote:

Here are the steps I have taken thus far:

* I deleted my original keystore that held my self-signed certificate.

* I deleted the self-signed certificate.

* I recreated the keystore.

* I imported the CA-signed certificate.

* I have an index.txt file that I deleted all the contents from so it 
is empty.

* The server.xml file reflects the current keystore/pw information and 
the SSL lines have been uncommented.

Still, when I visit https://localhost:8443, the browser throws a certificate warning. 
When I click on the certificate warning and view certificate, it displays information on 
my self-signed certificate (that I've deleted). I think if I could figure out how to make 
Tomcat point to the CA certificate instead of the old one, this would work for me. 
However, I'm not sure how to clear the Tomcat cache so to speak.


Are you sure that the warning is the same? Perhaps the first warning was 
about certificate not being signed by CA, and second warning is about 
something else?


Every (CA-signed or self-signed) certificate is issued for the specific 
hostname. If certificate hostname does not match hostname from browser 
URL, browser will issue a warning. Maybe that is the case here.


If your CA-signed certificate is bound to hostname other than 
localhost and you access your Tomcat server using browser URL 
https://localhost:8443;, than the browser will issue a warning.


I believe not a single CA would sign certificate for loopback interface 
hostname localhost, only for FQDN like server.example.com. 
Therefore, you should access your server using FQDN which your 
certificate is issued for.


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL Certificate Help

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Brian,

On 11/8/12 4:39 AM, Brian Burch wrote:
 On 07/11/12 21:13, Alissa Schneider wrote:
 * I recreated the keystore.
 
 Which will have generate a NEW public/private key pair.

+1

 * I imported the CA-signed certificate.
 
 But when did you generate the certificate request for this
 certificate. Does it contain the SAME public key as in your new
 keystore?

Probably not.

My guess is that the keystore in question isn't the one being used by
Tomcat.

Allison: please post your Connector configuration plus the path of
the keystore file you have been re-working.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlCcLhgACgkQ9CaO5/Lv0PAKXQCgtRZF7YflGYGZ8BG9B2UAuATR
7vMAnijZ3OhV4ADd0Uks+3Gq5mMQQdBQ
=0X0O
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org