On 2/9/22 13:41, wrote:
Could someone point me to a how to SSL configuration using cert and key generated using MS AD Cert server for internal use?

Assuming that "MS AD Cert Server" generates normal X.509 certificates, it shouldn't matter that you are using that particular tool.

What format is your certificate in once created? Note that you'll need both the private key and the certificate. If MS AD Cert Server doesn't trust you with the private keys, then you won't be able to use that tool.

I have attempted to follow examples in Tomcat docs, as well as examples found through internet searches.

I have attempted various configurations using either http11.Http11NioProtocol, or org.apache.coyote.http11.Http11AprProtocol connectors.

You shouldn't have to specify any specific connector. The defaults should be enough.

I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.

I get a variety of different error messages.

I think we can be pretty agnostic for particular approach.

Am happy to provide the configurations I’ve tried and the resulting error messages.

I thought it might be better if I first was able to obtain an example.

It seems like it might be better than listing all configurations and errors. But am happy to do that as well.

These command should generate a key + certificate you should be able to use:

$ openssl ecparam -name prime256v1 -genkey -out server.key
$ openssl req -new -x509 -nodes -sha512 -key server.key -out server.crt -days 365

This will create an Elliptic-Curve key, unencrypted, and then generate a self-signed certificate using that key. Enter whatever you want when OpenSSL asks you all those questions, but the "CN" (or "Common Name") should be the hostname of the server you are configuring. For a real site, you'll want to make sure that the Subject Alternative Name (SAN) fields are specified correctly so browsers don't complain (these days, CN is essentially ignored and SAN is essentially required).

Anyhow, now you have two files. Configure your <Connector>:

<Connector port="8443" SSLEnabled="true" scheme="https" secure="true">
<Certificate certificateFile="server.crt" certificateKeyFile="server.key" />

This should be enough to get you started.

If the above doesn't work, please post whatever errors you get.


To unsubscribe, e-mail:
For additional commands, e-mail:

Reply via email to