Mark,
Chris,
On 16.11.2015 17:15, Mark Thomas wrote:
Tomcat 8 docs lists APR Connector attribute "SSLCertificateChainFile"
[1]. Tomcat 9 docs, does not list such attribute (neither in "SSL
Support - SSLHostConfig", "SSL Support - Certificate" nor "SSL Support -
Connector - APR/Native (deprecated)"). I also check the class
SSLHostConfigCertificate, and couldn't find a field for the chain.
You use the same attribute as for the cert. i.e. you provide the full
chain rather than just the cert.
Ok, my initial testing was with the attribute SSLCertificateChainFile,
which was deprecated.
Now I tried to add chain to server certificate file, but it does not
work for me, either. I still get the warning that certificate chain is
incomplete. I tried those two configurations, both of them serve only
server cert:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="443"
SSLEnabled="true"
SSLCertificateFile="cert-with-chain.pem"
SSLCertificateKeyFile="server.key" />
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="443"
SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeyFile="server.key"
certificateFile="cert-with-chain.pem" />
</SSLHostConfig>
</Connector>
File "cert-with-chain.pem" contains three certificates -- first the
server certificate, and then two intermediate sertificates.
I also tried changing certificate order (first the intermediate
certificates, then server cert) but that results with
"error:0B080074:x509 certificate routines:X509_check_private_key:key
values mismatch", so I guess server certificate must be the first one.
-Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
