You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Nithesh Kb <ni...@gmail.com> on 2015/12/15 11:12:41 UTC

Tomcat APR protocol SSL certificate information.

HI,
I have build APR libraries Openssl and tc-native also i have created
openssl libraries. both HTTP and HTTPS is working fine.

*openssl genrsa -des3 -out server.key 2048 *
*openssl req -new -key server.key -out server.csr*
*cp server.key server.key.org <http://server.key.org>*
*openssl rsa -in server.key.org <http://server.key.org> -out server.key*
*openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt*

i get server.crt and server.key.

I added this entry,in connector


*protocol="org.apache.coyote.http11.Http11AprProtocol"*
*SSLCertificateFile="/aa/server.crt"*
*SSLCertificateKeyFile="/aa/server.key"*

*If i do this much, it will work!!*

*But the question is, is it possible to put these two certificate in
keystore and can we add only that keystore in our connector ?*
*something like, keystoreFile="/aa/tomcat.keystore"*

*i tried this but didn't worked,*

*http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
<http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore>*

*please help me to understand these certificate stuffs. *



*Thanks,*
*Nithesh*

Re: Tomcat APR protocol SSL certificate information.

Posted by Nithesh Kb <ni...@gmail.com>.

*Thanks David,Thomas.*
If my understanding is not wrong.
Till tomcat version 8, we need to provide cert and key separately for
openssl ssl APR, like
*(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
But tomcat 9 we can use keystore to store cert and key and configure it to
connector like  *keystoreFile="/aa/tomcat.**keystore"*

*Thanks,*
*Nithesh*

On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote:

> On 15/12/2015 15:07, David Newman wrote:
> > When you use APR the SSL implementation is coming from openssl instead of
> > java.  openssl has no use for java keystore files.  So it becomes more
> like
> > an apache httpd config with separate files for keys and certificates.
>
> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> at some point) you can use Java keystores with OpenSSL.
>
> Mark
>
> >
> > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <ni...@gmail.com>
> wrote:
> >
> >> HI,
> >> I have build APR libraries Openssl and tc-native also i have created
> >> openssl libraries. both HTTP and HTTPS is working fine.
> >>
> >> *openssl genrsa -des3 -out server.key 2048 *
> >> *openssl req -new -key server.key -out server.csr*
> >> *cp server.key server.key.org <http://server.key.org>*
> >> *openssl rsa -in server.key.org <http://server.key.org> -out
> server.key*
> >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> >> server.crt*
> >>
> >> i get server.crt and server.key.
> >>
> >> I added this entry,in connector
> >>
> >>
> >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> >> *SSLCertificateFile="/aa/server.crt"*
> >> *SSLCertificateKeyFile="/aa/server.key"*
> >>
> >> *If i do this much, it will work!!*
> >>
> >> *But the question is, is it possible to put these two certificate in
> >> keystore and can we add only that keystore in our connector ?*
> >> *something like, keystoreFile="/aa/tomcat.keystore"*
> >>
> >> *i tried this but didn't worked,*
> >>
> >> *
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >> <
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >>> *
> >>
> >> *please help me to understand these certificate stuffs. *
> >>
> >>
> >>
> >> *Thanks,*
> >> *Nithesh*
> >>
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat APR protocol SSL certificate information.

Posted by Mark Thomas <ma...@apache.org>.

On 15/12/2015 15:07, David Newman wrote:
> When you use APR the SSL implementation is coming from openssl instead of
> java.  openssl has no use for java keystore files.  So it becomes more like
> an apache httpd config with separate files for keys and certificates.

True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
at some point) you can use Java keystores with OpenSSL.

Mark

> 
> On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <ni...@gmail.com> wrote:
> 
>> HI,
>> I have build APR libraries Openssl and tc-native also i have created
>> openssl libraries. both HTTP and HTTPS is working fine.
>>
>> *openssl genrsa -des3 -out server.key 2048 *
>> *openssl req -new -key server.key -out server.csr*
>> *cp server.key server.key.org <http://server.key.org>*
>> *openssl rsa -in server.key.org <http://server.key.org> -out server.key*
>> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
>> server.crt*
>>
>> i get server.crt and server.key.
>>
>> I added this entry,in connector
>>
>>
>> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
>> *SSLCertificateFile="/aa/server.crt"*
>> *SSLCertificateKeyFile="/aa/server.key"*
>>
>> *If i do this much, it will work!!*
>>
>> *But the question is, is it possible to put these two certificate in
>> keystore and can we add only that keystore in our connector ?*
>> *something like, keystoreFile="/aa/tomcat.keystore"*
>>
>> *i tried this but didn't worked,*
>>
>> *
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>> <
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>> *
>>
>> *please help me to understand these certificate stuffs. *
>>
>>
>>
>> *Thanks,*
>> *Nithesh*
>>
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

Posted by David Newman <dn...@unixmonkeys.com>.

When you use APR the SSL implementation is coming from openssl instead of
java.  openssl has no use for java keystore files.  So it becomes more like
an apache httpd config with separate files for keys and certificates.

On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <ni...@gmail.com> wrote:

> HI,
> I have build APR libraries Openssl and tc-native also i have created
> openssl libraries. both HTTP and HTTPS is working fine.
>
> *openssl genrsa -des3 -out server.key 2048 *
> *openssl req -new -key server.key -out server.csr*
> *cp server.key server.key.org <http://server.key.org>*
> *openssl rsa -in server.key.org <http://server.key.org> -out server.key*
> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt*
>
> i get server.crt and server.key.
>
> I added this entry,in connector
>
>
> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> *SSLCertificateFile="/aa/server.crt"*
> *SSLCertificateKeyFile="/aa/server.key"*
>
> *If i do this much, it will work!!*
>
> *But the question is, is it possible to put these two certificate in
> keystore and can we add only that keystore in our connector ?*
> *something like, keystoreFile="/aa/tomcat.keystore"*
>
> *i tried this but didn't worked,*
>
> *
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> <
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >*
>
> *please help me to understand these certificate stuffs. *
>
>
>
> *Thanks,*
> *Nithesh*
>