-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Shawn,
On 6/27/18 1:27 PM, Shawn Heisey wrote: > On 6/26/2018 11:42 AM, Mark Thomas wrote: >> On 26/06/18 18:32, Cybulski, Adam M wrote: >>> Can you aim me at a guide to this? The steps I've been >>> following are just from whatever I've found online. Most of the >>> articles seem pretty dated. >> http://tomcat.apache.org/presentations.html >> >> Look for the TLS generation presentation from the 2016 webinar >> series. > > I don't see anything in that presentation about pkcs12. I see PEM > for the APR connector and JKS for the java connectors. > > Can Java programs like Tomcat use pkcs12 stores created by other > tools? I know how to use openssl to create a pkcs12 file for > software on Windows (typically for IIS, which is used by Exchange). > I use a command like this: > > openssl pkcs12 -export -in www.example.com.pem -inkey > www.example.com.key \ -out examplecert.p12 -CAfile > intermediate.pem Tomcat doesn't do anything special with a keystore that any other Java-based software might do. Theoretically, all keystore types supported by Java are equivalent. All Tomcat does is call KeyStore.getInstance(keystoreType) or whatever. The keystore type is passed directly into the Java API. I have recently been switching from JKS keystores to PKCS12 and I haven't had any problems using openssl's pkcs12 command to manipulate anything. That being said, Java sometimes complains about things that really shouldn't be a problem, such as having a keystore entry without an alias (which is legal, and I believe openssl will let you do it). So YMMV but you should be able to "correct" any of those issues with another tool (e.g. openssl's pkcs12) and get it to work. But Tomcat doesn't care. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsz8k0ACgkQHPApP6U8 pFgLIxAAgYJQ4wxTLBv/hoA9iV0BmQ5cRaHOZtwRibfqQegGmkb5Gx8nNwC8wlAQ Q5zDSLN4cZUWKl3CFZAzO1LaIPGku+cU850eVoC6EQAvIPl1yfCfcKU50pYe2pya gEquS/QRF+23DV5uggv/3X1tUJAnMF2Xc/QNgRA0d8ovD8dVrYMhRu2S4Ze7ofVA uqQHHQHXejpkzAJeNt5he1zq1NhZseJqL2t/QBy/KMWG4cUPk+e7BVx3LkrmJQyW t5hjRa2JmIof3/B7pIEdrbPY9gOh9G1+FYkI/L3V4QTjjThnQEOHA/LhgUOBsXCd zfpgPIg5vfR08D0r5gc4AsLQbRKoTIEz+DflAiclvXHt4hYA39S9TtU5kxEOv0O/ LsIB3Iyau0BlKHbSQZXXFt2lKaZ7Pkz8rWTON/K9opWWs/hqEgKNs2GOCT7c2NVz LkK76km2gdHBRjjnT0a5QICAHLMiLYB8j7XhmmYyK7+rMm2eyttE1OujZ4Zr8bia r3X29NhU8jMSp6Q1l9IfFtc7jLDhqs+NNFQMqa7DnKSdS/ekuuSh//xYseagz0ZY uHk8vlMjoGTRiRUIrtR43uHRpv8wPfyB+D2/6ckCDW7sNwgVFLbA3V97EjOwDw8m 0GNLYgwdo/83OG33i1M7qXeieTLDjVt1jki2M2Vc7kcn0eekKtY= =CY6R -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
