-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 William,
On 11/14/16 7:18 PM, William Boyd wrote: > First, I'd like to thank everyone for the help. > > Is it now safe to say that the behaviour we've been taking > advantage of is undocumented and will no long be supported? > > Also, for those that hit this thread and need to get HTTPS working > with a *self-signed* certificate in a dev environment... > > Here's what worked for me: 1. Copy > %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore) > 2. Create a *self-signed* certificate with %JAVA_HOME%\bin\keytool > -genkeypair -keyalg RSA -alias myAlias -keystore > "C:\keystore\keystore.jsk" -storepass changeit -validity 360 > -keysize 2048 -dname > CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country 3. Export > the myAlias certificate with %JAVA_HOME%\bin\keytool -export -alias > myAlias -keystore C:\keystore\keystore.jsk -rfc -file > C:\keystore\myAlias.cer 4. Import the myAlias certificate into your > copy of cacerts with: %JAVA_HOME%\bin\keytool -import -alias > myAlias -keystore C:\keystore\cacerts -file > C:\keystore\myAlias.cer 5. Add this to setclasspath.bat in tomcat: > set JAVA_OPTS=%JAVA_OPTS% > -Djavax.net.ssl.trustStore="C:\keystore\cacert" 6. In server.xml, > add these attributes to the Connector element > keystoreFile="C:\keystore\keystore.jsk" keystorePass="changeit" > keyAlias="myAlias" scheme="https" secure="true" SSLEnabled="true" > clientAuth="false" sslProtocol="TLS" > > Now you should be good to go in with HTTPS in Tomcat 8.5.5 + This is exactly what I suggested, except that you set the trust store using a system property instead of using truststoreFile in the <Connector>. You do not need to duplicate the JRE's trust store. You only need your own single certificate in your local truststore. Can you use keystoreFile and truststoreFile separately pointing to those files and re-check that it works? Perhaps Tomcat chokes when using the same file for both. That's what I'd like to verify. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYK1kHAAoJEBzwKT+lPKRYa48P/jl6hWa1mj5HCnawJZ3mHbjX ADdXYl45aym/E6QV/n99XYVYG2q+ZN9w0XDVP54lQhQhcgOUtCiPbTHEcYSYdwrU kLYMc3Ge8Jt7/zDMvem+pKYkHMvyHbspVqSujZ4uJ3Ozr9mYD89hSFgxqG0iYSE+ 5c0pvz1nW4Pt1F4A/+WETkL4Y5Xrq1Vn1LSAxAZoYiU/o93nVos7etIBUO9E430+ GihbhvkpS/yBitvrir/YacvWauBxpi30wR++6ZNAhpzlb+j90dk3i6iPcDO6K1f2 SNeqZATJDlXyU1hEksW4UxWLhtUeekqmJEiEqqWCYxNz9lwJG9f4kILUrzsZexlu FmP2o4IxWTBcgOUs5Km5DlfYwogJmlRhqQoOlg2JOpv+KIb67DX+PuY6bhGomDff YQ03Y7WQcjNZ/uOIoadAkXxKRaRHmuz2KkPYwgDutOgxtJV1jNxTT3A3znGT1cWN yekjXHOpe2FdXnaoG0X7mTpvx5AhkHN9mRdW+5/ZBpPzUN0M7zy8oBEpLtZKfrTJ k40Xz70DnNxBP3XS/1w7DJ1H3/FBxNdatVVbbcJ/+lS/NiS4Gn2kMAZgrCuZrUsn FdpdyCwq3VLJ2X9LVBR03rJOyPIiybANNjfhPpiEMC9uQu2ENm4A4Hm1p/cXdpo3 2J2O1AQA7tfew10t3F4K =a+Um -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
