-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Paul,
On 12/30/17 8:35 PM, Paul Beard wrote: > I have a freshly installed and running tomcat7 instance with nginx > but I would like to use the signed cert that I use with nginx for > tomcat as well. I can’t make out how that works. Lots of HOWTOs on > getting a LetsEncrypt cert but not about using an existing one. It > looks like something to do with keytool importing a cert to it’s > keystore but I can’t figure out what wants/where it is. Have a look at my presentation from ApacheCon: http://people.apache.org/~schultz/ApacheCon%20NA%202017/Let%27s%20Encryp t%20Apache%20Tomcat.pdf In there, I detail how to put everything together. There is a script that builds a Java keystore that Tomcat can use. That script demonstrates how to take an existing key+certificate+chain, convert it into a Java keystore and then make it active. The script actually requests a renewal of the certificate from Let's Encrypt (which may say "no renewal required") and then only re-builds the keystore if the key/cert have actually changed. I think that should be all you need. Some of the information is out-of-date and doesn't mention Tomcat 8.5+ which can (a) use PEM-encoded DER files (instead of Java keystores... the same kind of files that e.g. certbot produces) and (b) can re-load TLS configuration if it changes. Hope that helps, - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpNMBsdHGNocmlzQGNo cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhgUg/+KSvOQOte3LZI+9Fi KZS008hDu7gntlL4sTXH1+WIPIuq4AjpCxV8NXAe5jAnWTJxne5id2bB4f71jilr gQkwKSWRHlPHGbB/b7jsFtm/CH5oZIB1XCc7qeLLU+1XQVZwUHwn4GdrZ3ExQH1+ T53WiYM3JhYifPmW8BFsBU/oGfx+PTrv1r9AeKwXTZlUdQn4XuQYyHChi8Cftmg5 d8vuSMDMIMWGxPT8ONdTrWUe9H+JxEoVHlvIKFTsI4ePHo6ezfJ51H5qigJSYfrD hoURWTD61x5JtsoK135lQuhRP4J7QN6giMEcYWJbxeeqddOQvh3hIiel413bYlcp 3jICUzm7BbzmIoT2hzqm33zVN5eXOdd3Lt2SUjig577ht3XBJbUx8WEQGGcyd5/9 H6oclp8Adzq8sPQW64b7Ekjw5q5M47TaQirZ7/97oT50za8KoMftpVgK/BBWXfIA uU6jARIkuA33+71C0+JamnldLve/k+oOSczCnnxtTT8k4/etaSwYOlZcq/I0vl5n 8osv3PD14Aa2lXcnhStLYbxdUh8CTE1fWk+4ECjkANin1BPKaIStieWBJBDWaiyx 7nelijodTdjEgqSYsSys0RRHcAWNuxvS1NSigPuO49lcz9S65i9ffi3f37REv6xu 2pdZG7yW25i7T20hsxAxYi8OZBM= =1vE5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
