This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 09326c68a6bf55c12adefc36c427077389a7e72f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Apr 30 21:06:21 2020 +0100
Add key store type section
---
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 42 ++++++++++++++++++++++++++++++++++++++++--
2 files changed, 44 insertions(+), 2 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 5ceb6ca..35b9cc9 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -146,6 +146,10 @@
Fix the saving of a Context configuration file via the scripting
interface of the Manager web application. (markt)
</fix>
+ <add>
+ Add a section to the TLS Connector documentation on different key store
+ types and how to configure them. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index f73d26f..7f6cf2f 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1439,7 +1439,8 @@
TLS virtual host and that certificate has a <code>keystoreType</code>
that
is not <code>PKCS12</code> then the default will be the
<code>keystoreType</code> of the single certificate. If none of these
- identify a default, the default will be <code>JKS</code>.</p>
+ identify a default, the default will be <code>JKS</code>. See the notes
on
+ <a href="#Key_store_types">key store types</a> below.</p>
</attribute>
</attributes>
@@ -1539,7 +1540,8 @@
If not specified, the value of the system property
<code>javax.net.ssl.keyStoreType</code> is used. If neither this
attribute
nor the system property are set, a default value of "<code>JKS</code>".
is
- used.</p>
+ used. See the notes on <a href="#Key_store_types">key store types</a>
+ below.</p>
</attribute>
<attribute name="type" required="false">
@@ -1602,6 +1604,42 @@
</subsection>
+ <subsection name="Key store types">
+
+ <p>In addition to the standard key store types (JKS and PKCS12), most Java
+ runtimes support additional key store types such as Windows-ROOT,
+ Windows-My, DKS as well as hardware security modules. Generally, to use
+ these additional keystore types with a TLS Conector in Tomcat:</p>
+
+ <ul>
+ <li>Set the certificateKeystoreType and/or truststoreType Connector
+ attribute (as appropriate) to the necessary type</li>
+ <li>If a configuration file is required, set the certificateKeystoreFile
+ and/or truststoreFile Connector attribute (as appropriate) to point
to
+ the file</li>
+ <li>If no configuration file is required then you will almost certainly
+ need to explicitly set the certificateKeystoreFile and/or
+ truststoreFile Connector attribute (as appropriate) to the empty
+ string ("")</li>
+ <li>If a password is required, set the certificateKeystorePassword and/or
+ truststorePassword Connector attribute (as appropriate) to the
+ required password</li>
+ <li>If no password is required then you will almost certainly need to
+ explicitly set the certificateKeystorePassword and/or
+ truststorePassword Connector attribute (as appropriate) to the empty
+ string ("")</li>
+ </ul>
+
+ <p>Variations in key store implementations, combined with the key store
+ manipulation Tomcat does in the background to allow interoperability
between
+ JSSE and OpenSSL configuration styles, means that some keystores may need
+ slightly different configuration. Assitance is always available from the
+ <a href="http://tomcat.apache.org/lists.html#tomcat-users";>Apache Tomcat
+ users mailing list</a>. We aim to document any key stores that vary from
the
+ above advice here. Currently there are none we are aware of.</p>
+
+ </subsection>
+
<subsection name="SSL Support - Connector - NIO and NIO2 (deprecated)">
<p>The following NIO and NIO2 SSL configuration attributes have been
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
