On Tue, Oct 7, 2025 at 9:43 PM Darryl Baker <[email protected]> wrote:
> Colleagues, > I am a system administrator and only a few of the systems I support use > Tomcat. I probably saw this in earlier threads but I don’t remember the > answer. I need either a pointer to the solution or a simple explanation of > converting my current Tomcat 9 configuration to a working Tomcat 10 > configuration for the main connector for the application I support > installation. I would like to continue to use a Java keystore. > > Current Tomcat 9: > > <Connector SSLEnabled=”true” clientAuth=”false” > keystoreFile=”/opt/tomcat/latest/conf/dev-appit-keystore.jks” > keystorePass=”XXXXXXXX” maxHttpHeaderSize=”32678” maxThreads=”500” > port=”8443” protocol=”org.apache.coyote.http11.Http11NioProtocol” > scheme=”https” secure=”true” > sslImplementationName=”org.apache.tomcat.util.net.jsse.JSSEImplementation” > sslProtocol=”TLSv1.2”/> > > My attempt at a Tomcat 10 configuration: > > <Connector port="8443" > maxHttpHeaderSize="32678" > maxThreads="500" > protocol="org.apache.coyote.http11.Http11NioProtocol" > scheme="https" > secure="true" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" > sslProtocol="TLSv1.2"> > <SSLHostConfig> > <Certificate > certificateKeystoreFile="/opt/tomcat/latest/conf/dev-appit-keystore.jks" > certificateKeystorePassword="XXXXXXXX" > certificateKeyAlias="dev-appit.it.example.com" > certificateKeystoreType="PKCS12" > type="RSA" /> > </SSLHostConfig> > </Connector> > > Darryl Baker, GSEC, GCLD (he/him/his) > Sr. System Administrator > Distributed Application Platform Services > Northwestern University > 4th Floor > 2020 Ridge Avenue > Evanston, IL 60208-0801 > [email protected]<mailto:[email protected]> > (847) 467-6674<tel:+18474676674> > Hi Darryl, In Tomcat 10 you should use the new configuration, see https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html and https://tomcat.apache.org/tomcat-10.1-doc/config/http.html. Your configuration should be: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="500" maxHttpHeaderSize="32678" scheme="https" secure="true" SSLEnabled="true" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> *<-- This can be omitted as it's the default value -->* <SSLHostConfig protocols="TLSv1.2" certificateVerification="none">* <-- Consider adding TLSv1.3 in protocols too -->* *<-- certificateVerification="none" can be omitted as it's the default value -->* <Certificate certificateKeystoreFile="/opt/tomcat/latest/conf/dev-appit-keystore.jks" certificateKeystorePassword="XXXXXXXX" certificateKeystoreType="JKS" <-- This can be omitted as it's the default value --> certificateKeyAlias="dev-appit.it.example.com"* <-- Make sure the keystore actually contains the alias since it was missing in your previous configuration. If it doesn't, remove this. -->* type="RSA" /> </SSLHostConfig> </Connector> Kind regards, Dimitris
