Thank you " You want SSLCertificateChainFile for the intermediate and root CA 
certs" was the issue. The intermediate and root certs are now being pulled in.

-John 

-----Original Message-----
From: Mark Thomas <ma...@apache.org> 
Sent: Tuesday, March 3, 2020 2:01 AM
To: users@tomcat.apache.org
Subject: Re: OpenSSL config for Tomcat 7

On 02/03/2020 17:40, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK 
INFORMATION INC at Cisco) wrote:
> Below are the two connector configs I have tested with.
> 
> <Connector
>          port="8443"
>          scheme="https"
>          secure="true"
>          protocol="org.apache.coyote.http11.Http11AprProtocol"
>          SSLEnabled="true"
>          SSLCertificateFile="/auto/englearn-web/ssl_certificate/englearn.cer"
>          
> SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/englearn.key"
>          SSLCACertificateFile="/auto/englearn-web/ssl_certificate/chain.cer"  
>  (intermediate certs cat into pem format file) 
>          SSLCACertificatePath="/auto/englearn-web/ssl_certificate/"
>          maxThreads="150"
>          clientAuth="false"
>          sslProtocol="TLSv1.2"
>                                          />
> 
> <Connector
>          port="8443"
>          scheme="https"
>          secure="true"
>          protocol="org.apache.coyote.http11.Http11AprProtocol"
>          SSLEnabled="true"
>          SSLCertificateFile="/auto/englearn-web/ssl_certificate/chain.cer"    
>         (server and intermediate certs cat into pem format file)
>          
> SSLCertificateKeyFile="/auto/englearn-web/ssl_certificate/englearn.key"
>          maxThreads="150"
>          clientAuth="false"
>          sslProtocol="TLSv1.2"
>                                          />
> 

The configurations above are not consistent with your original post that quoted 
the correct configuration attributes.

SSLCACertificateFile is for the certs you accept as issuers of client 
certificates.

You want SSLCertificateChainFile for the intermediate and root CA certs.

The version of Tomcat 7 you are using is coming up to 7 years old. The EOL for 
7.0.x having just been announced for 31 March 2021 now might be a good time to 
think about upgrading to 9.x.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

  • ... John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)
    • ... Jason Wee
      • ... John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)
        • ... Christopher Schultz
    • ... Mark Thomas
      • ... John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)
        • ... Mark Thomas
          • ... John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco)

Reply via email to