Chris,
> Am 28.01.2020 um 19:35 schrieb Christopher Schultz
> <ch...@christopherschultz.net>:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Peter,
>
> On 1/28/20 12:24 PM, Peter Kreuser wrote:
>>> Am 28.01.2020 um 18:02 schrieb Christopher Schultz
>>> <ch...@christopherschultz.net>:
>>>
>>> You have to say certificateKeystoreType="PKCS12" (for
>>> <Certificate>, or keystoreType="PKCS12" for <Connector>) as well
>>> in your config.
>>
>> You don‘t need that in the new SSLHostConfig, right? I don‘t have
>> that attribute and it works... ???
>
> I'd need to see your configuration, and know what type of keystore you
> are using.
>
<SSLHostConfig
hostName=„tomcat.x.xxx"
honorCipherOrder="true"
protocols="TLSv1.2+TLSv1.3"
ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate
certificateKeystoreFile="${catalina.base}/conf/ssl/tomcat.p12"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
P12 is created with
openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key -certfile chain.pem
-out tomcat.p12 -name tomcat -CAfile ca.crt -caname root -passout pass:changeit
Seems to be valid and working ;-) .
Peter
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4wfw4ACgkQHPApP6U8
> pFhm5A//e0VNCvCklGGFfNNxNdamDuzbaZZ3e/aCQeW85dat+rsHZDZKrPgb5MYz
> 7nwjgxooe0TcvkaXzaB/pJGD21ImntWtiTl42MyvPXmZl0PXyXjRGA2/XcQj/Yji
> vTWyVKl1TiH5s0fiIZrQZ0M6lTfQ7T2eVnTzX5MjQwin9zDzRDPl77Dbatn57d4H
> heMY4GgS7XfHrH/EN5jJvU+vXOKI/bS61ujM28+A1dJnEECduIZbsTQTSDah903t
> X/09b8jqUTPJNAQLIfk5/KQS2arhP2Nsoplsy+8a/KOJisRLRWZpoSga4N/CBc3D
> CoslAJM1w+za6BV+xKuZSP795ZiuqF34jnb36LTOkiaXcCrKrm4B35ImvCtSOgYX
> FvC4NJq+t4f3AVnvNkqaN6ygJifveI4g86C46r8A40YUFSydbQoKiwrDUGvbN+jq
> 568014A/p7n0k4N48KPyVZmH8x8NwlBE3n0V4/KW1kXikGUDcyFOoXp+g+nMhRpV
> l/I9US8rrBnJbkIlZLOibxI5LzRQ0mqMmspHaqzkl7zGWnP3EwvI1KysgpkotJ+i
> shAaY5z1IWg6i5w1iZK/JzOkpixBBZR4ckMAanZXV5UQaW06Swkc81C4vfpJoNAO
> qZINTga45uXg2/Wt5xkNjkv9+P5KVnPiVb3YhtGH4b1wRaI9qaQ=
> =E1yB
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
