Re: adding new SSL certificate without restarting tomcat

Wed, 28 May 2025 05:45:12 -0700 

Ivano,

On 5/28/25 4:17 AM, Ivano Luberti wrote:

Thanks for all the responses. I try to be more clear.
My server.xml configuration contains a few SSLHostConfig configurations like this 



<SSLHostConfig

hostName="host domain.it"

ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA">

<Certificate
certificateKeystoreFile="/etc/ssl/LetsEncrypt/host domain.it/host domain.it.pfx" 

certificateKeystorePassword="passwrod"

certificateKeystoreType="PKCS12"

/>

</SSLHostConfig>



after certificate renewal, reloadin the certificate is no concern.
But if I add (or remove)  a new SSLHostConfig,  tomcat needs to be restarted in order to take into account the new configuration.
I would like to know if there is a way to configure tomcat so avoid restart.
Even using a different way to configure tomcat outside of server.xml using a different certificate format or whatever.
Okay, so you don't mean reconfiguring an existing SSLHostConfig. You mean adding a new one (or removing an old one).
You should connect to Tomcat using JMX to see all of the remote-management capabilities it has. You are able to use JMX to create SSLHostConfig settings on the fly, reconfigure connectors, etc. without restarting the JVM. 

-chris


Il 28-May-25 09:49, Michael Osipov ha scritto:

On 2025/05/27 20:11:25 Ivano Luberti wrote:

Hi all, is there a way to configure tomcat in order to avoid restart
when I change the list of ssl certificates?

I know and I do it, how to reload existing certificates, but I'm
searching a qay to avoid reloading when I add or remove a certificate.

I'm using Tomcat 9 , but looking for solution also in tomcat 10 or 11.
RTFM:https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/ catalina/security/TLSCertificateReloadListener.html? 

Works for me very well.

---------------------------------------------------------------------
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to