[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 --- Comment #9 from Mark Thomas --- That is an application configuration issue, not a Tomcat configuration issue. I'd expect applications to be able to use explicit configuration rather than relying on system properties. Reliance on system properties can lead to situations where different components need different, incompatible, system properties. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 --- Comment #8 from christoph.vonwitt...@bv.aok.de --- Looks like specifiying the trustStoreType in the server.xml won't work in our case. i.e. when I set it in the server.xml in Confluence or Jira, I will get an error when using LDAPs or sending mail. When I set the Java Option -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT for the tomcat process it works fine. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 Mark Thomas changed: What|Removed |Added Resolution|--- |FIXED Status|NEW |RESOLVED --- Comment #7 from Mark Thomas --- You can see the updated text in the CI system: https://ci.apache.org/projects/tomcat/tomcat9/docs/config/http.html#Key_store_types -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 --- Comment #6 from Michael Osipov --- (In reply to Christoph.vonWittich from comment #2) > 3) The use of the java truststore is not suitable in larger corporate > environments because you have to manually add all your certificates manually > (on each server). I concur here. At my company, Java is prepackaged for Windows and rolled out globally with out Root and Intermediate CAs. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 --- Comment #5 from christoph.vonwitt...@bv.aok.de --- > When you add the TLS connector configuration to server.xml (which you are > going to have to do anyway), simply use: > > truststoreType="Windows-ROOT" > > and don't set truststoreFile Interesting... A hint in the documentation that this value is possible here would be helpful. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 --- Comment #4 from Mark Thomas --- 1. Arguably not Tomcat's problem. That said, adding something to the TLS section of the HTTP/1.1 connector docs for truststoreType (and certificateKeystoreType) and/or the SSL How-To would probably reach a wider audience. 2. That is an issue with the upgrade process. See https://bz.apache.org/bugzilla/show_bug.cgi?id=64395#c3 for better ways to handle that. 3. No-one is suggesting that you use the Java trust store When you add the TLS connector configuration to server.xml (which you are going to have to do anyway), simply use: truststoreType="Windows-ROOT" and don't set truststoreFile This has the advantage that the complete configuration for the TLS connector is explicitly defined in server.xml rather that partly in server.xml and partly via system properties. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 --- Comment #3 from christoph.vonwitt...@bv.aok.de --- >Including the trust store in that is trivial. Using the Windows Truststore is trivial as it already contains all certificates we need. And it is updated automatically with Active Directory GPOs. Using a seperate java truststore would mean I have to manage this extra truststore and deploy it to many servers manually. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 --- Comment #2 from christoph.vonwitt...@bv.aok.de --- 1) many people do not know that a Java Option to trust certificates from the windows truststore exist 2) On every Tomcat Upgrade (Uninstall / Install again) all Java Options are lost because they are saved in the registry 3) The use of the java truststore is not suitable in larger corporate environments because you have to manually add all your certificates manually (on each server). -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 64394] Windows Installer should offer an option to trust the certs in the Windows truststore
https://bz.apache.org/bugzilla/show_bug.cgi?id=64394 Mark Thomas changed: What|Removed |Added OS||All --- Comment #1 from Mark Thomas --- Why? System administrators are going to have to configure the rest of the TLS connector in server.xml. Including the trust store in that is trivial. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org