"Christopher Schultz" <ch...@christopherschultz.net> wrote in message news:4b1ecba6.1030...@christopherschultz.net... > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Vadim, > > On 12/7/2009 1:25 PM, Vadim Letitchevski wrote: >> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey >> /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile >> /etc/pki/tls/cacert.pem -caname root -chain >> >> I have used the password changeit. > > Note that you have created certificate in PKCS12 format, not a keystore. > You now need to take the next step in the SSL HOWTO which is to use the > Java 'keytool' utility to create a keystore. >
Yes, the documentation in the SSL HOWTO is somewhat confusing :(. There are actually two separate examples there (one for PKCS12 and one for JKS), but it isn't very clear from reading the doc where one ends and the other begins. For PKCS12 you are done after creating the .p12 file (except for the undocumented part about adding the keystoreType to the <Connector />). If anybody wants to take a crack at cleaning this up (with bonus points for adding a PKCS11 example), patches are always welcome. >> Next I have edited server.xml to have these strings: >> >> <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 --> >> <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true" >> keystoreFile="conf/mycert.p12" keystorePass="changeit" > > If you are going to use the PKCS12 (.p12) format, you will probably have > to set keystoreType="PKCS12". Check the documentation for the > SSL-specific <Connector> attributes again. > >> maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >> enableLookups="false" disableUploadTimeout="true" >> scheme="https" secure="true" >> clientAuth="false" sslProtocol="TLS" /> >> >> <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 --> >> <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true" >> keystoreFile="conf/mycert.p12" keystorePass="changeit" >> truststoreFile="conf/mycert.p12" truststorePass="changeit" > > Although I don't think it will hurt to have both, your keystore and > truststore aren't the same thing. Check the documentation for these two > attributes. Again, you may need to use truststoreType="PKCS12" if you > want to use your .p12 file. > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAksey6YACgkQ9CaO5/Lv0PBwWQCgj6T+m87bL49GXvON7dzIaklo > S74AnRnYM6IIuo8pMQe/bDAaSbwocXzg > =k45M > -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
