-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Daniel, On 8/28/20 20:46, Daniel Savard wrote: > Le ven. 28 août 2020 à 17:19, Darryl Philip Baker < > darryl.ba...@northwestern.edu> a écrit : > >> I am having an issue that I don’t understand. On RHEL6/CentOS >> and earlier my predecessors would put self-signed certificates >> they wanted to trust in /etc/pki/ca-trust/extracted/java/cacerts >> and it was good for the life of the machine. On RHEL7 and I >> assume CentOS7 that file is part of a package that is getting >> updated as part of the regular patches. That wipes out our >> self-signed certificates. The way I understand the directions >> from Red Hat we should put the certificate in pem format in the >> directory /etc/pki/ca-trust/source/anchors and run >> update-ca-trust extract and that will update the all the >> appropriate files. Including the cacerts file. That does not seem >> to happen. What is the proper way of handling self-signed >> certificates you want tomcat to trust? >> >> Off topic but you are folks who might know: On a related note I >> have the same issue with Java applications not running in Tomcat >> that use the same file /etc/pki….java/cacerts. Am I >> understanding the PKI update process correctly? Am I putting the >> self-signed certificate pem format file in the correct place? >> >> Darryl Baker, GSEC (he/him/his) Sr. System Administrator (...) >> >> > You can put your certificates and truststore wherever you want as > long as you tell Tomcat where they are in the conf/server.xml > configuration file when you configure the connector using them. > > Self-signed certificates should never be used on a production > server, they are not secure. What makes you say that? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9NE5wACgkQHPApP6U8 pFg57BAAl6VNkfGacih8/Uxn1tiyEbDkGAvcFpxbJkhcS1q4yTR171cGaKE50z1l 1GIWiiRdTdFCwI3SlCdQySKDZa4kCDPscv24zcPAIhVJ/1WKJ9PC/mLFZuRzR+3R u2yYb5tUFcG7rESOf2WWgdB9uQrd/WMigr6qaLYIZFdOSKJ1xT1ujMMNUrFzleUw FveFimPKg7MkMgCYKJWmH28dUKOICIGdL2hmq7gAsT161XCwFVcjHRT/lKRpnIlD Mg1KTG6qTxMXSyBI4IopA8VRWAdjM6JaTyD65q4jjyeKTglklzmnU3WhFO4F1Jl2 vFlimBs0aNoRmNIuFfvQGyf5u7DKAdSYqrFk44atZQ2MNw5+Z6EDCtelLT/rneTf xyYTkwqKgt7MRngTsJZ5w8T7exd7ZjhFSnwAs4ekohbh9sUTsd0DadTM6XbGsacL p4c5aHrV9yYrye3RSfTEbwOr5FWR1G0VIMgONKdZA+BgNhm9CqdtoT04DA0iRY++ DskueqaKKEzEwV3P4/NYFKGj2nKtTMpYfrB6IUFghjMs/z29PYLgVVk/WVIEbLan w3Er4oa/6r3C1ltq3EevvMbthww4nMf/cZqMRpG8ilIR4wn7t+IqfBGTJN9Ox4pj Ik3pdWXw+5XoVaOqafUfhzc5Q1n6XSnTB5/yZifDhnsz/jzELIM= =4pHT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
