Hi, I managed to get Windows-MY (SSL Personal Store) and Windows-ROOT (Root CA Store) with Solr 8.0.0 to work. How?
I enabled the following in solr.in.cmd: set SOLR_SSL_CHECK_PEER_NAME=true set SOLR_SSL_ENABLED=true set SOLR_SSL_KEY_STORE=NONE set SOLR_SSL_KEY_STORE_PASSWORD=<snip> set SOLR_SSL_TRUST_STORE=NONE set SOLR_SSL_TRUST_STORE_PASSWORD=<snip> set SOLR_SSL_NEED_CLIENT_AUTH=true set SOLR_SSL_WANT_CLIENT_AUTH=false set SOLR_SSL_KEY_STORE_TYPE=Windows-MY set SOLR_SSL_TRUST_STORE_TYPE=Windows-ROOT A also edited solr.cmd in the following way: set "SOLR_SSL_OPTS= -Djavax.net.ssl.keyStoreProvider=SunMSCAPI -Djavax.net.ssl.trustStoreProvider=SunMSCAPI" But there is one problem: The Microsoft Key Store is not a file based Keystore. What happens: SOLR logs a missing KEYSTORE File "NONE" The official documentation at https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html tells me: * javax.net.ssl.keyStore system property. Note that the value NONE may be specified. This setting is appropriate if the keystore is not file-based (for example, it resides in a hardware token) The same is valid for trustStore. So my workaround here is to place an empty PKCS#12 keystore File called "NONE" in the \server directory, where start.jar resides. Solr 4.4 was happy with just an empty 0 byte NONE file. It seems to me, that currently only file based key stores are working without manual workarounds. A proper solution would be very nice for other so it can be easily configured. When I specify null, Solr requires the keystore file to be called null. And if not password specified at all, you won't get it to work. The Solr Reference Guide also lacks information here. The solution would be in the code to specify null when loading the keystore file, and password also null. I found that while searching: https://stackoverflow.com/questions/13697934/windows-keystores-and-certificates/29534497 Other software also seems to have problems with this: https://github.com/gradle/gradle/issues/6584 It would be great to see better integration of the Windows keystore I the future, as it was very difficulty to analyze find out, when you start from zero.
