You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by pa...@stgconsulting.com on 2022/02/09 18:41:29 UTC
Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use
All,
Could someone point me to a how to SSL configuration using cert and key
generated using MS AD Cert server for internal use?
I have attempted to follow examples in Tomcat docs, as well as examples
found through internet searches.
I have attempted various configurations using either
http11.Http11NioProtocol, or org.apache.coyote.http11.Http11AprProtocol
connectors.
I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.
I get a variety of different error messages.
I think we can be pretty agnostic for particular approach.
Am happy to provide the configurations I've tried and the resulting error
messages.
I thought it might be better if I first was able to obtain an example.
It seems like it might be better than listing all configurations and errors.
But am happy to do that as well.
Best,
<https://urldefense.com/v3/__https:/stgconsulting.com/__;!!J2_8gdp6gZQ!8GZOF
bqU6OTJdQX0WL_Wpb7Mh1psU6oNwIIywk2pj4x8TRW73U_W_He0GmCoWqlPWqQifA$>
Paul Leo, Software Engineer
<ma...@stgconsulting.com> paul.leo@stgconsulting.com
<https://urldefense.com/v3/__https:/www.linkedin.com/company/software-techno
logy-group/__;!!J2_8gdp6gZQ!8GZOFbqU6OTJdQX0WL_Wpb7Mh1psU6oNwIIywk2pj4x8TRW7
3U_W_He0GmCoWqkq3MCdZw$>
<https://urldefense.com/v3/__https:/www.facebook.com/SoftwareTechnologyGroup
/?eid=ARCjFzLN6ImeRtWXHZsLwQw8W8EHjZAMf4qUPHjrAmQOv2FiFYeK3jmucmnRNyrnwpMR9L
PpnJulchOJ__;!!J2_8gdp6gZQ!8GZOFbqU6OTJdQX0WL_Wpb7Mh1psU6oNwIIywk2pj4x8TRW73
U_W_He0GmCoWqlrCoORuw$>
<https://urldefense.com/v3/__https:/twitter.com/STGConsulting__;!!J2_8gdp6gZ
Q!8GZOFbqU6OTJdQX0WL_Wpb7Mh1psU6oNwIIywk2pj4x8TRW73U_W_He0GmCoWqmk7p40gw$>
<https://urldefense.com/v3/__https:/www.meetup.com/Software-Technology-Group
-Meetup/__;!!J2_8gdp6gZQ!8GZOFbqU6OTJdQX0WL_Wpb7Mh1psU6oNwIIywk2pj4x8TRW73U_
W_He0GmCoWqna4TNMgg$>
RE: Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use
Posted by pa...@stgconsulting.com.
Chris,
Appreciate your guidance.
Will post errors, if there are any.
Best
Paul
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, February 10, 2022 1:15 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.56 Windows - Assistance with using cert and key
generated using MS AD Cert Server for internal use
Paul,
On 2/9/22 13:41, paul.leo@stgconsulting.com wrote:
> Could someone point me to a how to SSL configuration using cert and
> key generated using MS AD Cert server for internal use?
Assuming that "MS AD Cert Server" generates normal X.509 certificates, it
shouldn't matter that you are using that particular tool.
What format is your certificate in once created? Note that you'll need both
the private key and the certificate. If MS AD Cert Server doesn't trust you
with the private keys, then you won't be able to use that tool.
> I have attempted to follow examples in Tomcat docs, as well as
> examples found through internet searches.
>
> I have attempted various configurations using either
> http11.Http11NioProtocol, or
> org.apache.coyote.http11.Http11AprProtocol
> connectors.
You shouldn't have to specify any specific connector. The defaults should be
enough.
> I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.
>
> I get a variety of different error messages.
>
> I think we can be pretty agnostic for particular approach.
>
> Am happy to provide the configurations I've tried and the resulting
> error messages.
>
> I thought it might be better if I first was able to obtain an example.
>
> It seems like it might be better than listing all configurations and
> errors. But am happy to do that as well.
These command should generate a key + certificate you should be able to use:
$ openssl ecparam -name prime256v1 -genkey -out server.key $ openssl req
-new -x509 -nodes -sha512 -key server.key -out server.crt -days 365
This will create an Elliptic-Curve key, unencrypted, and then generate a
self-signed certificate using that key. Enter whatever you want when OpenSSL
asks you all those questions, but the "CN" (or "Common Name") should be the
hostname of the server you are configuring. For a real site, you'll want to
make sure that the Subject Alternative Name (SAN) fields are specified
correctly so browsers don't complain (these days, CN is essentially ignored
and SAN is essentially required).
Anyhow, now you have two files. Configure your <Connector>:
<Connector port="8443" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateFile="server.crt"
certificateKeyFile="server.key" />
</SSLHostConfig>
</Connector>
This should be enough to get you started.
If the above doesn't work, please post whatever errors you get.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Paul,
On 2/9/22 13:41, paul.leo@stgconsulting.com wrote:
> Could someone point me to a how to SSL configuration using cert and key
> generated using MS AD Cert server for internal use?
Assuming that "MS AD Cert Server" generates normal X.509 certificates,
it shouldn't matter that you are using that particular tool.
What format is your certificate in once created? Note that you'll need
both the private key and the certificate. If MS AD Cert Server doesn't
trust you with the private keys, then you won't be able to use that tool.
> I have attempted to follow examples in Tomcat docs, as well as examples
> found through internet searches.
>
> I have attempted various configurations using either
> http11.Http11NioProtocol, or org.apache.coyote.http11.Http11AprProtocol
> connectors.
You shouldn't have to specify any specific connector. The defaults
should be enough.
> I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.
>
> I get a variety of different error messages.
>
> I think we can be pretty agnostic for particular approach.
>
> Am happy to provide the configurations I’ve tried and the resulting
> error messages.
>
> I thought it might be better if I first was able to obtain an example.
>
> It seems like it might be better than listing all configurations and
> errors. But am happy to do that as well.
These command should generate a key + certificate you should be able to use:
$ openssl ecparam -name prime256v1 -genkey -out server.key
$ openssl req -new -x509 -nodes -sha512 -key server.key -out server.crt
-days 365
This will create an Elliptic-Curve key, unencrypted, and then generate a
self-signed certificate using that key. Enter whatever you want when
OpenSSL asks you all those questions, but the "CN" (or "Common Name")
should be the hostname of the server you are configuring. For a real
site, you'll want to make sure that the Subject Alternative Name (SAN)
fields are specified correctly so browsers don't complain (these days,
CN is essentially ignored and SAN is essentially required).
Anyhow, now you have two files. Configure your <Connector>:
<Connector port="8443" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateFile="server.crt"
certificateKeyFile="server.key" />
</SSLHostConfig>
</Connector>
This should be enough to get you started.
If the above doesn't work, please post whatever errors you get.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org