In many of our tomcats we use the pfx directly on the conector. Its similar to a keystore
Enviado de Samsung Mobile -------- Mensaje original -------- De: Nithesh Kb <nitheshk...@gmail.com> Fecha: 15/12/2015 16:21 (GMT+01:00) Para: Tomcat Users List <users@tomcat.apache.org> Asunto: Re: Tomcat APR protocol SSL certificate information. *Thanks David,Thomas.* If my understanding is not wrong. Till tomcat version 8, we need to provide cert and key separately for openssl ssl APR, like *(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")* But tomcat 9 we can use keystore to store cert and key and configure it to connector like *keystoreFile="/aa/tomcat.**keystore"* *Thanks,* *Nithesh* On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote: > On 15/12/2015 15:07, David Newman wrote: > > When you use APR the SSL implementation is coming from openssl instead of > > java. openssl has no use for java keystore files. So it becomes more > like > > an apache httpd config with separate files for keys and certificates. > > True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x > at some point) you can use Java keystores with OpenSSL. > > Mark > > > > > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <nitheshk...@gmail.com> > wrote: > > > >> HI, > >> I have build APR libraries Openssl and tc-native also i have created > >> openssl libraries. both HTTP and HTTPS is working fine. > >> > >> *openssl genrsa -des3 -out server.key 2048 * > >> *openssl req -new -key server.key -out server.csr* > >> *cp server.key server.key.org <http://server.key.org>* > >> *openssl rsa -in server.key.org <http://server.key.org> -out > server.key* > >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out > >> server.crt* > >> > >> i get server.crt and server.key. > >> > >> I added this entry,in connector > >> > >> > >> *protocol="org.apache.coyote.http11.Http11AprProtocol"* > >> *SSLCertificateFile="/aa/server.crt"* > >> *SSLCertificateKeyFile="/aa/server.key"* > >> > >> *If i do this much, it will work!!* > >> > >> *But the question is, is it possible to put these two certificate in > >> keystore and can we add only that keystore in our connector ?* > >> *something like, keystoreFile="/aa/tomcat.keystore"* > >> > >> *i tried this but didn't worked,* > >> > >> * > >> > http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore > >> < > >> > http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore > >>> * > >> > >> *please help me to understand these certificate stuffs. * > >> > >> > >> > >> *Thanks,* > >> *Nithesh* > >> > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > ________________________________ Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Si no es vd. el destinatario indicado, queda notificado que la lectura, utilización, divulgación y/o copia sin autorización está prohibida en virtud de la legislación vigente. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. Evite imprimir este mensaje si no es estrictamente necesario. This email and any file attached to it (when applicable) contain(s) confidential information that is exclusively addressed to its recipient(s). If you are not the indicated recipient, you are informed that reading, using, disseminating and/or copying it without authorisation is forbidden in accordance with the legislation in effect. If you have received this email by mistake, please immediately notify the sender of the situation by resending it to their email address. Avoid printing this message if it is not absolutely necessary.
