John Ellis
405.285.2500 office
http://biz-e.io
-----Original Message-----
From: l...@kreuser.name [mailto:l...@kreuser.name]
Sent: Tuesday, September 26, 2017 3:26 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: tomcat ssl setup
John,
> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>:
>
> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is
> what Jira and/or Confluence would use so I did that and it worked fine on
> http port of 8080. I then edited the server.xml file again for the SSL port
> and got the same result as before; never gets to a webpage login using the
> secure port of 8443 but I can still get the webpage on port 8080. When I look
> at the Tomcat 8 Catalina log file I see several lines where it says-
> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been
> googling that error and found a couple of posts saying to change from JKS to
> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA
> for the algorithm. Can someone provide me with the proper keytool commands
> that I need to use to create an SSL certificate for Tomcat?
>
> John Ellis
>
> 405.285.2500 office
>
>
We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride a
dead horse, also SSL setup has changed quite a bit in 8.5/9.0.
So my setup is as follows:
server.xml:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
allowTrace="false"
maxThreads="150"
SSLEnabled="true"
compression="off"
scheme="https"
server="Apache Tomcat"
secure="true"
defaultSSLHostConfigName=“ localhost” >
<SSLHostConfig
hostName="localhost"
honorCipherOrder="true"
certificateVerification="none"
protocols="TLSv1.2"
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate
certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts"
certificateKeystorePassword="changeit"
certificateKeyAlias="tomcat"
type="RSA" />
</SSLHostConfig>
</Connector>
https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl
<https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl>
I use openssl to create the certs (as let’s encrypt for an official cert will
generate the same structure) and then convert to JKS:
openssl genrsa -aes256 -out server.key 4096 -subj
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost"
openssl req -new -key server.key -out server.csr -sha512 -subj
"/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com"
#there is more to it to get SAN extensions, but that’s not necessary to get it
running
openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out
server.crt # you may need your own ca and a signing-process to make this work
in all browsers
#Verify Server Cert
openssl x509 -in server.crt -text -noout
openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts -name
tomcat keytool -list -v -keystore jssecacerts -storepass changeit
Hope this helps for a start.
Regards
Peter
Peter I have never seen entries in the "</SSLHostConfig>" part of the
server.xml file. Does that have to be in there for SSL to work in Tomcat?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
