-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Daniel,
On 9/10/20 13:33, Daniel Skiles wrote: > In this case, I didn't remove every certificate, but I did remove > the certificate that was originally being referenced after adding a > new certificate under a new alias. > > Original Keystore: Alias A Server.xml _default_ SSLHostConfig > points to Alias A > > After Modification: Alias B Server.xml _default_ SSLHostConfig > points to Alias B > > <Call reloadSslHostConfigs here> <Receive error> > > If that's not supported, I'll see if I can keep the aliases stable > somehow. If there is a way to do it, I'd be interested in hearing what it > is. What are the real alias names? If you don't specify the key alias, Tomcat will use the first private key it finds in the file (which is essentially random, as Java keystores do not guarantee any kind of read-ordering). What does your <Certificate> look like in server.xml? Can you also post the actual error and complete stack trace you get? If you change the key's alias, you'll need to change the alias listed in the <Certificate> unless you are using the default first-key behavior . Also note that calling reloadSslHostConfigs does NOT re-read server.xml. It re-initializes the existing in-memory configuration. If you want to e.g. change the key alias, you'll have to make a JMX call to update the alias and THEN call reloadSslHostConfigs. - -chris > On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz < > ch...@christopherschultz.net> wrote: > > Daniel, > > On 9/10/20 09:09, Daniel Skiles wrote: >>>> Is it possible to change the keystore alias of the _default_ >>>> SSLHostConfig's certificate while tomcat is running? >>>> >>>> At present, I'm trying to move the _default_ certificate from >>>> one certificate in my keystore, to another. I modify the >>>> server.xml, then I call the reloadSslHostConfigs MBean >>>> operation. The operation throws an error that boils down to >>>> a jsse.alias_no_key_entry error that comes back from the >>>> JVM. >>>> >>>> Is this a technical limitation on SNI/SSLHostConfig, or am I >>>> missing something here? > > Did you remove all server certificates from your keystore and then > try to bounce the connector? That's not going to work because the > connector requires a server key and certificate. > > Instead of "moving" the cert, consider copying the certificate > instead. > > -chris >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9ahc4ACgkQHPApP6U8 pFi2eRAAjhoX34ml8l52UTxCc0TdjcX9trDPqKLqceFLmaMLvW58F8xmDVcLCMtS qJTbHeQZepnDq4H/knG5YqYvI10zVshdY94vb2QdPEp6bS8zXpFYPZ96/E1T8CKA bMvhmITskOdeIVeV4dZbSDM/JvrUtoPe4cfWzzP8QLTXOfN2DgdH3wYmuivZjQXR b86fTfzB4jwF96uDANV6TMmw5q7TNgvxwBllVnCuuv1Scoqdy3cNt10N6X2zCSPc +cA5VETPeAwl8q+j9UPJr21kDzcny0nUhC1s+mkuiSAdMEiPaByeV2VbuqYhD3/7 2df/f7ssMaGP6XT76LqjpINmxuTEXngRl+FPXwE76+Q/PqBpkZnaqq8d2koRGum+ scTK9sQkwzZzaLKtTH+9gMgozEup6SmowHKIcqifE+2IUcoH03bwbv16ulwQkqHZ XidNj370sJkFVQpm8DUsMhUvL2s+znWusyZza7KWzgWvZdO0XVFn/1dvxB/NGB8E 3wiRs6TVWyndZYV91k++mp3iYigDSmIwljd2gzLrZUJ1S5m7+NWT1hkpY7vxYWZ5 6l9hWmy6r3iVSnP4Oy+OedPC6RA08mXPhNAZEfyBNq/cfrfrXJLPaXItxS6dRPWv 81J6z7r7RFJeeJLgqa0yTj9zasHZ6acgswWOg2I6/B6gVsJ5SVY= =Uu1T -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
