Chris, > Am 29.01.2020 um 16:59 schrieb Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Peter, > > On 1/28/20 6:02 PM, logo wrote: >>> <SSLHostConfig hostName=„tomcat.x.xxx" honorCipherOrder="true" >>> protocols="TLSv1.2+TLSv1.3" >>> ciphers="HIGH:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY13 > 05:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA > - -AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256 > :DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SH > A256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA > :ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:D > HE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AE > S256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256 > :AES128-SHA:AES256-SHA:!DSS"> >>> >>> > <Certificate certificateKeystoreFile="${catalina.base}/conf/ssl/tomcat.p > 12" >>> certificateKeystorePassword="changeit" >>> certificateKeyAlias="tomcat" type="RSA" /> </SSLHostConfig> >> >>> P12 is created with >> >>> openssl pkcs12 -export -in tomcat.crt -inkey tomcat.key -certfile >>> chain.pem -out tomcat.p12 -name tomcat -CAfile ca.crt -caname >>> root -passout pass:changeit >> >> >>> Seems to be valid and working ;-) . > > Hmm. What version of Java? Perhaps Java has gotten better about > detecting the type of keystore? Also, Tomcat respects the value of > - -Djavax.net.ssl.keyStoreType so if (a) you are explicitly setting it > to PKCS12 or (b) your Java version is doing that, then you don't need > to specify it, as it's the default.
openjdk 11.0.6+10-post-Debian-1 and no JAVA_OPTS for certs… > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4xq8sACgkQHPApP6U8 > pFiQoBAAh85sDX5Q0aSMLyU5wQCsP2CPrA0iiaLwiU/rZ4Xr38mn8xW1lKAodjX8 > enLvHnRsfvQk+spXtNCsN4W0lh1ZCt2Y9bkO44AtlsCMHTaCgx3XgzuXUSxmkg1+ > ZsNv0jEWqslI0MwEZIzs8tlPbEg3EydjSF8kXf5fcygxA50FfR1o1ysY0cJNO2Z2 > 1pJDdueZPy0TzBquVAX9b+d9ElZk8QeavSJ4H8lFkj9Mjdj4XeqevuT/VayJKe34 > hBrdCJfXgLh+xq251eMxjSSIxXC5B3tK0SE5IeyZyBxd5KBq4HmN8q/rJcWmvfMd > U+HUlvG0GugoodPnz2XklbJlW1J78uuhT81/sWp2PIiig7So/QSOJgpCuInJAdoh > wCaO1aZfYABxJSCbbZGEtT22ybilgA9rnocsuGjI5Wrxo3dBxzMQ9Y0QB56/bkEN > ZT2NnynXfEwVMlXqgnSqxga1hCW82wCfw8meZtye5Pc7QyvJDoEUqveakvNvjEIy > 3OminOdu6KuIEjcLy2OJLs2voBqDuZToOwg3xSYEq07pPapd9xqnKcRGihv4j6aQ > y5JZq+4oc0i4e286KB1OhDGposRcfWJfFWNSwk7ijKVlA6aAF/OfM9EAAlm3fWU7 > AkkpJslBQrxghCUhhPSrdUfNOCEQpHzOaCEUlyLRk1pY/52FGwQ= > =ANtK > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org