-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 8/2/18 12:17 PM, James H. H. Lampert wrote: > On 8/2/18, 9:05 AM, Venkataraman Srinivasan wrote: >> I used below command to create certificate locally. >> >> $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA >> -keystore /opt/tomcat/apache-tomcat-8.5.32/keystore > > Ok. Probably the first thing you need to do is set up your > connector to use that keystore. Thanks for your reply, James. I'm going to make a few adjustments to help newcomers as well as you use the correct terminology in a few place s. > If it's a Java Keystore, then presumably you will be using the > native/JSSE connector; the other one is for OpenSSL. Java actually supports a handful of keystore types. Common ones are JKS (the default up until Java 9, which is Java-specific), JCEKS (which is still Java-specific and somehow "more secure" but I don't understand how) and PKCS12, which is an industry-standard. OpenSSL can use PKCS12 keystores, but usually people use PEM-encoded DER files (the things that are a bunch of letters and numbers beginning with either "----BEGIN PRIVATE KEY----" or "----BEGIN CERTIFICATE----". > And there are plenty of web resources explaining that process in > detail. This is the one I keep bookmarked for reference:> > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html This is a good one, but things have changed a bit for configuration for later versions of Tomcat. Tomcat 8.5 and later specifically have to have a different kind of configuration for SSL/TLS certificates, because of the use of Server Name Indication (SNI) to determine which certificate to show to the client when making a connection. Remember that the TLS handshake happens before the HTTP headers (including the "Host" header) can be delivered, and the server can host certificates for multiple domain names. SNI allows the TLS handshake to tell the server which hostname it intends to reach once the TLS handshake has completed and the HTTP conversation begins. > Once you have the connector working, if you want your server to be > trusted by strangers, then you need to get that keystore signed. Technically, it's the certificate that gets signed, not the keystore. > Using Keytool (or some other utility, like KeyStore Explorer on a > Macintosh), you need to generate a Certificate Signing Request for > your keystore. > > You would then choose a Certificate Authority, and buy a > certificate. At some point in the process, you will be asked to > upload the CSR. You might also be asked to provide some sort of > proof that you have control over the domain. > > Once the certificate is issued, you would then import the reply Which is a certificate itself. It's actually YOUR certificate, plus a signature that proves the CA signed it. > along with one or more supporting certificates (collectively, a > "certificate chain") into your keystore, again using either > Keytool or some more user-friendly utility, and then plug the > signed keystore into your server. The Certificate Authority, if > it's a major one, will probably have detailed instructions specific > to Tomcat. They might. But there are a lot of options, so not every guide will be straightforward to use. If the Tomcat documentation can't help get things going, it needs to be updated. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAltjN1UACgkQHPApP6U8 pFg/XBAAhZQVTigfwjAxoEVEl+gj8Y1vUYY6qb9YwZVogovWWeBw1udV+iN0LhBx bY+uol18XWzYKQ62OUn0nqOfYGrjcOJTCVWqz7HFNWTtOczmFUmFXsQZN76mOUx1 ynF97carzh74N6kQwP81JYVxZcqMtTwMln+hhSqJ2QtBJ1I8TmXn222QLGA3rT61 U4t1xjbkD+YU4+W4zhA5Z/gfMEBby5zi6YJOq5NHUnPsypypxIUSdIJ0l9T/qWu8 xcCCLtxtg3rqVjn4vi4Lo8/+YIm6IVohU39aOMNnVSjW19FGIKL5zFgWsFV2xy6w r856GV0+WRDZDikwJegxUaKwt5gwBo5+sop75HMebRx67xazEFsXH3rlmCwloATK ajv+GUIgWhUcHdhrMbr0DhKynaBSCkM7RUgeWl9CnjZ9L8Ejs2iO7dKu8qzT5/9C FtFZcoesnST/atEGcZWE5CP9w10HkBactxsg/9juLBHdmGBnOKL547bAdv2xi1XN 3d4OVAj/pfW6GH0gJUrz0Eou7LIQE50niPQszxyqGixK3e7h7fDrKlpRNAQ6cpre C0jNDYgWsKG7i7XNpuxxdnwpYSm18y3uMQ+BYRW4pNXUqRGWGmjFYponSAtuP9hI hrHDvAsYdVR7fs+f7Nwn+cjSYxQ7hq0bNAwFrgVc5aLxdpewu/k= =YXie -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org