-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Don,
On 11/27/17 10:47 AM, Don Flinn wrote: > My previous mail was cryptic. Below is a fuller explanation of > what I did to get things running. > > First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and > up has been expanded. Chris suggested that I use PKCS12 rather > than JDK keystore, which I have done. Actually, at this point, I'd be using the PEM-encoded DER files (just like httpd does) instead of a packaged cert/key bundle, just because I find those easier to deal with. > I'm also using the APR configuration. So redirected connector that > I'm using looks like: > > <Connector protocol="org.apache.coyote.http11.Http11NioProtocol" > port="8443" maxThreads="150" SSLEnabled="true"> > > <SSLHostConfig> keystoreType="PKCS12" <Certificate > certificateKeyFile="C:/users/don/Security/domain.key" > certificateFile="C:/users/don/Security/domain-chain.crt" > certificateChainFile="C:/users/don/Security/ICDTrustRoot.crt" > type="RSA" /> </SSLHostConfig> > > </Connector> In fact, I think you are using PEM-encoded DER files and not a packaged keystore, even though your SSLHostConfig's keystoreType is set to "PKCS12". > The domain key is the private key I used when getting the > certificates from letsencrypt. The certificate I got from > letsencrypt I called domain-chain.crt. Lastly I downloaded the > ICDTrustRoot.crt from the letsencrypt at > https://letsencrypt.org/certificates. If you use a tool like certbot-auto (which may or may not be available for Windows), all of this is done automatically for you. > You will notice that I'm using Window's syntax, which is just for > the pathname where the certificates live. You would use a Linux > path syntax if you are running Linux. You need three certificates > for letsencrypt; a cert for your domain, one for the intermediate > and finally the root certificate. +1 > What I call domain-chain.crt holds two certificates; my domain > certificate and the intermediate. In order to see what these were > I separated them in a text editor and called them domaincert1.crt > and the second domaincert2.crt Then I used openssl to see what was > in them. For example: > > openssl x509 -noout -subject -issuer -in domaincert1.crt this > printed out subject= /CN=info.finwoks.com issuer= /C=US/O=Let's > Encrypt/CN=Let's Encrypt Authority X3 > > So that one was my domain cert issued by the letsencrypt > intermediate > > The second one certificate gave subject= /C=US/O=Let's > Encrypt/CN=Let's Encrypt Authority X3 issuer= /O=Digital Signature > Trust Co./CN=DST Root CA X3 > > which is the intermediate. I'll have to triple-check, but I believe you can put all certificates into a single file like you can do with httpd. Just make sure that your server's certificate (leaf) is listed first, then the intermediate certificate(s), then the root certificate. Usually you do not need to supply the root certificate since most clients should have the root certificates available already. Use SSL Labs' SSLTest[1] to help make sure you don't have too little or too much in your certificate. Too little and your clients will get trust errors. Too much and you'll be wasting bandwidth sending the root CA certificate to clients who don't need it. > I downloaded the certificates using the java program mentioned in > my previous e-mail. Depending on your particular setup, you can get > the four items using different methods. I would suggest that you > check what the various certificates contain by using the ssl > commands. I've also read that the order of the certificates should > be > > Your domain Intermediate Known Root > > So that's the order I used. A caution, in my reading I have found > some directions not to be accurate. If there's anything inaccurate on the Tomcat site, please post here. If there's anything inaccurate with the httpd site, please post to the httpd-users list ... or here if you are super lazy and maybe one of the lurking httpd committers will take care of the problem. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlodo/YdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhuYQ//Tigpqew5deTYJQkv fQDyNFReS+G4jfv2RqX9a01xOVPTz3lvHjD3HbKnvSAMDf96fBkoF6WNNz7i0wEH hnbOw1ETh8AWDVrkyT1nQkqPOpYEGIP+me53q2d1FpSAtgjedHQQ4ccGDOlM2ygn fgtaKZ1fyvvNdqAnUw2vFE17UFQnkNsMpfG51l12GxJkd3HyxqQTXUd19qxqsqKg FhWvTdL4HYEyRF8U+8aNhyrOQvDFx0NKaP22YsHX3HuIEKknnOl9B+1QXx0WtwO0 G6txDUgS9bkU5vCZsdaJ+26BaMhGA+ndm+mGAOmmEjdLVNEHQUSxCxqYg5SO0Uby yY0pF4cXzyy8LJxtLuvTKAq4bxB0Pl/zpYmwq84+E7DB99m87kmRF3/2rdavfoQY Fz94kM8zK5+cJszh/Y7d14iRHBlSi8fxQxiZ7eIbHyE55cB9HP7RbG/AtN2Grlti qCsI8rX+KAYFohpjZVb4dz74SUjdtjVl7j+ZESQDdgR+HoMt9T199THOiSHb23OY ahGOtGdsA0QWOwfkfx+P+HlXyngRe60NFhn/mSSpKVbkfXsS0fP7H3xBjhWat0Uo AVkmuSXBS+DjNQiJR6pVcAfTZM5cBHnx/dmaCmdf/+cUWGhBjetBx5psRUisAwrI XzH0Rm64sFKBMBqw7DstT7Z6pgk= =DsYU -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
