Re: JSSE question

Christopher Schultz Tue, 08 Dec 2009 13:57:19 -0800

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vadim,


On 12/7/2009 1:25 PM, Vadim Letitchevski wrote:
> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey 
> /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile 
> /etc/pki/tls/cacert.pem -caname root -chain
> 
> I have used the password changeit.

Note that you have created certificate in PKCS12 format, not a keystore.
You now need to take the next step in the SSL HOWTO which is to use the
Java 'keytool' utility to create a keystore.

> Next I have edited server.xml to have these strings:
> 
>     <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
>     <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
>                keystoreFile="conf/mycert.p12" keystorePass="changeit"

If you are going to use the PKCS12 (.p12) format, you will probably have
to set keystoreType="PKCS12". Check the documentation for the
SSL-specific <Connector> attributes again.

>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" />
> 
>     <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
>     <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
>                keystoreFile="conf/mycert.p12" keystorePass="changeit"
>                truststoreFile="conf/mycert.p12" truststorePass="changeit"

Although I don't think it will hurt to have both, your keystore and
truststore aren't the same thing. Check the documentation for these two
attributes. Again, you may need to use truststoreType="PKCS12" if you
want to use your .p12 file.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksey6YACgkQ9CaO5/Lv0PBwWQCgj6T+m87bL49GXvON7dzIaklo
S74AnRnYM6IIuo8pMQe/bDAaSbwocXzg
=k45M
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JSSE question

Reply via email to