On Sat, Jan 21, 2023 at 02:24:46PM +0100, a.grub...@bluewin.ch wrote: > Hello Mark > > Then how do you manage the webserver certitficate in Tomcat? Where do you > store the password? I would like to do it of course always without, but the > architecture is like that I have. > > Webserver certificate.p12 > Webserver certificate.p12.pwd Password_today Password > tomorrow > > Tomcat/conf/server.xml > > I would like to reference the pwd file in server.xml. You cannot enter the > server and get to the directory until you do the sudo to its technical user. > > How can you do this? When you have an automated certificate approach running, > renewing certificates which are in the range to renew. > How to avoid setting ; in a password? This also causes or can cause issues. > > Thank you for your advice. More security is better, but it must be in the > position to be handled easy. Every manual change I want to avoid.
I don't store the password. (Perhaps I should ask: do you mean the
passphrase for the private key, or the passphrase for the PKCS12
container?)
Here I have to create a Certificate Signing Request and send it to the
registrar for signature. Since I am creating the private key at the
same time, I can have it created without encryption. Perhaps the
tools that you use have such an option? I generate the request and
key with:
openssl req \
-new \
-newkey rsa:4096 \
-nodes \
-keyout SOMETHING.key \
-out SOMETHING.req
If I were packing up the certificate(s) and key in a PKCS12, I would
use "openssl pkcs12 -export -nodes ..." (to leave the private key
unencrypted). But, now that I've been researching it, there may not
*be* a way to specify "no encryption" of the PKCS12 structure itself,
only ways to express a zero-length password.
Of course I pay strict attention to file and directory permissions.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
signature.asc
Description: PGP signature
