RE: JSSE question

Tue, 08 Dec 2009 15:32:30 -0800 

Thanks. I will try it.
Vadim. 

-----Original Message-----
From: Christopher Schultz [mailto:ch...@christopherschultz.net] 
Sent: Tuesday, December 08, 2009 1:57 PM
To: Tomcat Users List
Cc: Vadim Letitchevski
Subject: Re: JSSE question

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vadim,

On 12/7/2009 1:25 PM, Vadim Letitchevski wrote:
> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey 
> /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat 
> -CAfile /etc/pki/tls/cacert.pem -caname root -chain
> 
> I have used the password changeit.

Note that you have created certificate in PKCS12 format, not a keystore.
You now need to take the next step in the SSL HOWTO which is to use the Java 
'keytool' utility to create a keystore.

> Next I have edited server.xml to have these strings:
> 
>     <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
>     <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
>                keystoreFile="conf/mycert.p12" keystorePass="changeit"

If you are going to use the PKCS12 (.p12) format, you will probably have to set 
keystoreType="PKCS12". Check the documentation for the SSL-specific <Connector> 
attributes again.

>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" />
> 
>     <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
>     <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
>                keystoreFile="conf/mycert.p12" keystorePass="changeit"
>                truststoreFile="conf/mycert.p12" truststorePass="changeit"

Although I don't think it will hurt to have both, your keystore and truststore 
aren't the same thing. Check the documentation for these two attributes. Again, 
you may need to use truststoreType="PKCS12" if you want to use your .p12 file.

Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAksey6YACgkQ9CaO5/Lv0PBwWQCgj6T+m87bL49GXvON7dzIaklo
S74AnRnYM6IIuo8pMQe/bDAaSbwocXzg
=k45M
-----END PGP SIGNATURE-----

Reply via email to