Why do you need to add/remove a certificate?
Mark
On 03/06/2025 09:15, Ivano Luberti wrote:
Hi Mark, only problem to solve is to avoid restart upon adding/removal
of an SSL certificate.
Il 29-May-25 09:38, Mark Thomas ha scritto:
On 29/05/2025 07:59, Ivano Luberti wrote:
Thanks Chris, yes that's what I tried to explain from the beginning,
sorry I wasn't clear enough.
To summarize: there is no solution out of the box, I have to develop
something.
I will look into that.
Just out of interest, what problem are you trying to solve? Depending
on the problem, there may be other solutions.
Mark
Thanks everyone
Il 28-May-25 14:43, Christopher Schultz ha scritto:
Ivano,
On 5/28/25 4:17 AM, Ivano Luberti wrote:
Thanks for all the responses. I try to be more clear.
My server.xml configuration contains a few SSLHostConfig
configurations like this
<SSLHostConfig
hostName="host domain.it"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA">
<Certificate
certificateKeystoreFile="/etc/ssl/LetsEncrypt/host domain.it/host
domain.it.pfx"
certificateKeystorePassword="passwrod"
certificateKeystoreType="PKCS12"
/>
</SSLHostConfig>
after certificate renewal, reloadin the certificate is no concern.
But if I add (or remove) a new SSLHostConfig, tomcat needs to be
restarted in order to take into account the new configuration.
I would like to know if there is a way to configure tomcat so avoid
restart.
Even using a different way to configure tomcat outside of
server.xml using a different certificate format or whatever.
Okay, so you don't mean reconfiguring an existing SSLHostConfig. You
mean adding a new one (or removing an old one).
You should connect to Tomcat using JMX to see all of the remote-
management capabilities it has. You are able to use JMX to create
SSLHostConfig settings on the fly, reconfigure connectors, etc.
without restarting the JVM.
-chris
Il 28-May-25 09:49, Michael Osipov ha scritto:
On 2025/05/27 20:11:25 Ivano Luberti wrote:
Hi all, is there a way to configure tomcat in order to avoid restart
when I change the list of ssl certificates?
I know and I do it, how to reload existing certificates, but I'm
searching a qay to avoid reloading when I add or remove a
certificate.
I'm using Tomcat 9 , but looking for solution also in tomcat 10
or 11.
RTFM:https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache/
catalina/security/TLSCertificateReloadListener.html?
Works for me very well.
---------------------------------------------------------------------
To unsubscribe, e-mail:users-unsubscr...@tomcat.apache.org
For additional commands, e-mail:users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
