On 02/03/2020 17:40, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > Below are the two connector configs I have tested with. > > <Connector > port="8443" > scheme="https" > secure="true" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" > SSLCertificateFile="/auto/englearn-web/ssl_certificate/englearn.cer" > > SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/englearn.key" > SSLCACertificateFile="/auto/englearn-web/ssl_certificate/chain.cer" > (intermediate certs cat into pem format file) > SSLCACertificatePath="/auto/englearn-web/ssl_certificate/" > maxThreads="150" > clientAuth="false" > sslProtocol="TLSv1.2" > /> > > <Connector > port="8443" > scheme="https" > secure="true" > protocol="org.apache.coyote.http11.Http11AprProtocol" > SSLEnabled="true" > SSLCertificateFile="/auto/englearn-web/ssl_certificate/chain.cer" > (server and intermediate certs cat into pem format file) > > SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/englearn.key" > maxThreads="150" > clientAuth="false" > sslProtocol="TLSv1.2" > /> >
The configurations above are not consistent with your original post that quoted the correct configuration attributes. SSLCACertificateFile is for the certs you accept as issuers of client certificates. You want SSLCertificateChainFile for the intermediate and root CA certs. The version of Tomcat 7 you are using is coming up to 7 years old. The EOL for 7.0.x having just been announced for 31 March 2021 now might be a good time to think about upgrading to 9.x. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
