Thanks much for the follow up. This thread is definitely going in my bookmarks!
On Mon, Aug 15, 2022 at 9:37 AM Russell Bateman <[email protected]> wrote: > If you'll permit, I want to cap this thread I started off a bit by a) > thanking the many who contributed to it and b) summing up the solution I am > using based on that help. > > Here are the command lines and germane instructions. For localhost below, > substitute the DNS name (or, at least, */etc/hosts* name) of the > VM/hardware running Tomcat. Substitute your own password for "changeit" and > modify any other details according to need. > > *1. Generate Tomcat a keystore with certificate and key inside plus a > subject alternative name (SAN)--crucial for the client's use.* > keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -dname > "CN=tomcat" -ext san=dns:localhost -alias tomcat -keystore tomcat.jks > -storepass changeit -keypass changeit > > > *2. Inspect Tomcat's new keystore. You're looking to see the SAN. *keytool > -list -v -keystore tomcat.jks -storepass changeit > > * 3. Configure this keystore in Tomcat's **conf/server.xml** via a > **<Connector > port="8443" ... />** definition.* > > <Connector port="8443" protocol="HTTP/1.1" > connectionTimeout="20000" > scheme="https" > secure="true" > SSLEnabled="true"> > <SSLHostConfig> > <Certificate certificateKeyAlias="tomcat" > certificateKeystoreFile="*tomcat.jks*" > certificateKeystorePassword="changeit" /> > </SSLHostConfig> > </Connector> > > *4. Get Tomcat's certificate "live." (Tomcat must be running with the new > certificate.) In addition to getting the certificate, this should preserve > the crucial SAN from step #1.* > openssl s_client -connect localhost:8443 -showcerts > client.cer > > *5. Import that certificate into a keystore (that will be used in the > client's trust store).* > keytool -importcert -file client.cer -alias tomcat -keystore > client-truststore.jks -keypass changeit -storepass changeit -noprompt > > *6. Verify the client's trust store. Again, you're looking to see the SAN.* > keytool -list -v -keystore client-truststore.jks -storepass changeit > > > The two artifacts to take away are *tomcat.jks*, for Tomcat's use, and > *client-truststore.jks*, for the client's use. > > In the case of this thread, the "client" in question was Apache NiFi's > *InvokeHTTP* and the configuration was done partly in that processor and > partly in the accompanying *SSLContextService* (I used > *StandardRestrictedSSLContextService*). Those configurations looked like > this: > > *InvokeHTTP*: > HTTP URL: https://localhost:8443/*servicename* > > *SSLContextService*: > Truststore Filename: *client-truststore.jks* (this must be a > full path in your filesystem) > Truststore Password: changeit > Truststore Type: JKS > TLS Protocol: TLS > > > > > > >
