wow. All working now. (I think- verifying the Client Cert prompt - borwser is NOT prompting, but I may not have a cert for it to send) certificateKeystoreFile etc instead of certificateKeyFile
and truststoreFile instead of caCertificateFile ( I spent a lot of time searching and trying things. Glad I finally ASKED). Thanks again. On Mon, Feb 11, 2019 at 11:22 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > John, > > On 2/11/19 10:42, John Palmer wrote: > > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows > > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 > > format in the SSLHostConfig/Certificate elements for the keystore > > and truststore.. (I would prefer to drop the JKS format for several > > reasons) questions are: is this allowed? > > Absolutely. And switching away from JCEKS/JKS files is a good idea. > They never should have existed in the first place. > > > if so, what am I doing wrong? > > :) > > > ...while the old (tomcat 7) connector element format works very > > well... for example: <Connector port="443" > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx" > > keystorePass="password" keystoreType="PKCS12" clientAuth="true" > > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12" > > truststorePass="password" > >> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > > /> </Connector> > > > > trying to use these .pfx files in the new > > Connector/SSLHostConfig/Certificate elements doesn't work: (there's > > no equivalent to the ...Type attribute for certificateFile, > > caCertificateFile, and the description for each says ..."The format > > is PEM-encoded." and no equivalent for the ...Password attribute > > for caCertificateFile). > > You want to use certificateKeystoreType="PKCS12" and > certificateKeystoreFile="C:/certs/truststore.pfx". Don't use > backslashes. They will ruin your life. (But in this case, it should > not matter which kind of slash you use.) > > I notice that you have another thread where you are trying to use > tcnative. If you are using tcnative with the APR connector, you cannot > use keystores such as the above. But you are specifically using the > NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I > think you are okay. > > > <Connector port="443" > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > >> > > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" > > /> <SSLHostConfig certificateVerification="optional" > > caCertificateFile="C:\certs\trustStore.PFX" > >> > > Change to truststoreFile="C:/certs/trustStore.PFX". > > > <Certificate certificateKeyFile="C:\certs\servername.pfx" > > certificateKeyPassword="password" /> > > Change to certificateKeystoreFile and make sure to set > certificateKeystoreType="PKCS12". Also > certificateKeystorePassword="password". > > > </SSLHostConfig> </Connector> > > > > Hope that helps. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8 > pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR > +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u > LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD > qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH > hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb > t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV > Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5 > F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl > cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN > kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk > SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo= > =eR3x > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
