-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
On 5/27/20 08:18, Ian Brown wrote: > I would suggest adding type="RSA" to your certificate elements. > (As shown in Christopher's example & matching your set up). It > defaults to UNDEFINED. Further, the Tomcat documentation talks > about one certificate working, and two not working if TYPE is not > defined. Hmm, now this has me thinking. If you have a single keystore and want to advertise both RSA and ECDSA-based server certificates, you'd have to do: <SSLHostConfig> <Certificate type="RSA" certificateKeystoreFile="keystore.jks" certificateKeyAlias="www.example.com.RSA" /> <Certificate type="EC" certificateKeystoreFile="keystore.jks" certificateKeyAlias="www.example.com.ECDSA" /> </SSLHostConfig> If you had more config items like passwords, providers, etc. it would become even more verbose. If I were configuring something like this myself, I might like to say (in English) "this keystore contains everything I need for www.example.com; load everything and do the right thing". Something like this: <SSLHostConfig hostName="example.com"> <Certificates keystore="keystore.jks" /> </SSLHostConfig> This can work for PEM files, too, and it's how httpd does things: you just point SSLCertificateFile at a PEM file and it loads everything. The only (practical) difference between a keystore and a multi-certificate/key PEM file is that there are no "aliases" in a PEM file. Each key knows its own type; there is no need to require the user to declare the encryption type. We could even use the "hostName" from the <SSLHostConfig> element to ignore any certificates whose CN/SANs doesn't/don't match the hostName so we don't get confused if there are unrelated certificates in the keystore. I think there is scope to improve things, here. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7OePoACgkQHPApP6U8 pFiUBRAAvaLDHaWBwwe+7Pk42mPeR0VPcFPcMaglTP4vFN23ww3fqLiaDIeyJpFp bv0cMAd49S2CQhfw9dDIphXAbgtcgHXLHp80dkRtBmiHSwLPZiW0q1eHA5om5jwM bTvENmQDsa5mZG//0M4PX53em0sGfWddkxLx6siLkJNAaxryuAXEotYvWb8TVe8w z2Uh+W6kVxLPTDqzKjjkNODtDeZPC+erlIDjfgoZuEGoOkbQ5LG1rEwN4GfqQAt0 yP0eFWChG+HKNn35PqtRSWrvZ/XtTRJYjNbUSQrz4kkcJFwH6if2+6/lEj1F+y0p Sdl/ZtD8Md+8ozqE+VMm0YoSABB7Kdyq/6PoEpjnV4dsEWlx2RBXlqs/sbN3YB27 ulVIwJS4Wn0p1TwkZP4HL8COiWqnmqdyk8FSBwyzPMmRix+fwp9nlnT9suIMAe8d tRcF9Q1ovG0KX2raEnV97eQGgyVfEPuUIQXal3n1XL8IaEfegzJpxk4R99hSryC0 sQrM3+AVfGGS/agX9l/GIFkzGc5VvM8pZa2OOj1hPHLAOZRIsGIKlkvduYd+NikU SprvaStsSgFAL7tDmvuYl8JKBYAFwUScMm6pmpcnisYrm+1lQOw/3vDgk4/erIkJ xazHHniD2mNZ/Cnwn7Vn5wzF3zrDhsun1VEr1ykQObgPKqH8EAg= =TciW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org