-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John,
On 2/11/19 10:42, John Palmer wrote: > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 > format in the SSLHostConfig/Certificate elements for the keystore > and truststore.. (I would prefer to drop the JKS format for several > reasons) questions are: is this allowed? Absolutely. And switching away from JCEKS/JKS files is a good idea. They never should have existed in the first place. > if so, what am I doing wrong? :) > ...while the old (tomcat 7) connector element format works very > well... for example: <Connector port="443" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx" > keystorePass="password" keystoreType="PKCS12" clientAuth="true" > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12" > truststorePass="password" >> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> </Connector> > > trying to use these .pfx files in the new > Connector/SSLHostConfig/Certificate elements doesn't work: (there's > no equivalent to the ...Type attribute for certificateFile, > caCertificateFile, and the description for each says ..."The format > is PEM-encoded." and no equivalent for the ...Password attribute > for caCertificateFile). You want to use certificateKeystoreType="PKCS12" and certificateKeystoreFile="C:/certs/truststore.pfx". Don't use backslashes. They will ruin your life. (But in this case, it should not matter which kind of slash you use.) I notice that you have another thread where you are trying to use tcnative. If you are using tcnative with the APR connector, you cannot use keystores such as the above. But you are specifically using the NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I think you are okay. > <Connector port="443" > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > /> <SSLHostConfig certificateVerification="optional" > caCertificateFile="C:\certs\trustStore.PFX" >> Change to truststoreFile="C:/certs/trustStore.PFX". > <Certificate certificateKeyFile="C:\certs\servername.pfx" > certificateKeyPassword="password" /> Change to certificateKeystoreFile and make sure to set certificateKeystoreType="PKCS12". Also certificateKeystorePassword="password". > </SSLHostConfig> </Connector> > Hope that helps. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8 pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5 F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo= =eR3x -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
