Am Montag, den 07.12.2009, 10:25 -0800 schrieb Vadim Letitchevski: > Bill. > > I have followed the recommendations in that document but did not succeed. > So I have a set of self-generated (using OpenSSL) credentials. OpenSSL server > and client work fine (connect) using these credentials with authentication > both ways. > Following the instructions in > (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) I have done: > > openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey > /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile > /etc/pki/tls/cacert.pem -caname root -chain > > I have used the password changeit. > > Next I have edited server.xml to have these strings: > > <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 --> > <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true" > keystoreFile="conf/mycert.p12" keystorePass="changeit" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" /> try to add keystoreType="pkcs12" truststoreType="pkcs12" the default values for these are JKS. Look at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html at section SSL support.
> > <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 --> > <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true" > keystoreFile="conf/mycert.p12" keystorePass="changeit" > truststoreFile="conf/mycert.p12" truststorePass="changeit" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > scheme="https" secure="true" > clientAuth="true" sslProtocol="TLS" /> same here. bye Felix > > Then I started server and used Firefox trying to open https://localhost:8442 > or https:/localhost:8443 with no success (failed to connect page). > Catalina log file shows "java.io.exception: Invalid keystore format." > What have I done wrong? > > Thanks > Vadim. > > -----Original Message----- > From: news [mailto:n...@ger.gmane.org] On Behalf Of Bill Barker > Sent: Friday, December 04, 2009 7:25 PM > To: users@tomcat.apache.org > Subject: Re: JSSE question > > > "Vadim Letitchevski" <vletitchev...@teledyne.com> wrote in message > news:e17da276f9a0c84fad22739de29c389005dafc3...@entmail01.tad.teledyne.com... > >I am confused. Can Tomcat use only JKS keystore or it can also use pem > >or some other certificate storages? > > > > In the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html), > it shows how to use a PKCS12 keystore. At some point that should be updated > to include an example for using a PKCS11 keystore. > > The actual answer is that the JSSE Connector can use any keystore format that > is supported by your Java vendor. In particular, with the Sun JVM, you can't > use PEM (however the APR Connector does use PEM). However, it is usually > pretty easy to convert PEM to PKCS12 (see the link above for an example). > > > > > Thanks > > Vadim. > > (310)765-3812 > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
