> -----Original Message----- > From: Chris Arnold [mailto:carn...@electrichendrix.com] > Sent: Saturday, October 26, 2013 7:47 PM > To: Tomcat Users List > Subject: Re: Secure Tomcat With SSL > > >>Chris, > > On 26.10.2013 23:39, Chris Arnold wrote: > > Tomcat 7.0.42 on SLES11. I am following > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to > secure tomcat. I have uncommented the SSL HTTP section. The > configuration section of that doc, importing the certificate: i have a > go daddy bundle in crt format. I can download the cert bundle from go > daddy for tomcat but it also is a crt file. Do i have to run this exact > command: > > > > openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ > > -out mycert.p12 -name tomcat -CAfile > myCA.crt \ > > -caname root -chain > > >>It looks ok to me. Does it work for you? > > It doesn't look like it will work as i do not have a ca file. > > >>It will create PKCS#12 keystore file (mycert.p12), so you may: > > >>1. add parameter keystoreType="pkcs12" to your HTTPS connector, and > >>use that file, or 2. convert PKCS#12 keystore to Java Keystore > format, > >>and use default keystore type (JKS). > > >>This is both possible, only if you plan to use either BIO or NIO HTTP > >>connector. If you plan to use APR, connector configuration is > >>completely different. > > Not sure what either of these are. I just need secure tomcat >
Chris, If it turns out you are using APR, when you export your signed certificate and CA-bundles, just specify that you want them for "apache" not "tomcat". Then you can reference the files directly in the server.xml. If you are using the java-based connectors, you should ask for "tomcat" signed certificates, and I think you have to somehow combine them for use in the keystore (it's been a long time since I did that, I'm APR only). In other words, when you request a cert signed for "tomcat" at GoDaddy, it really means a java keystore compatible certificate. When you select "apache" it really means an OpenSSL compatible certificate. Jeff --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
