You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2020/05/27 14:28:12 UTC
Re: [OT] HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1
VPS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 5/27/20 08:18, Ian Brown wrote:
> I would suggest adding type="RSA" to your certificate elements.
> (As shown in Christopher's example & matching your set up). It
> defaults to UNDEFINED. Further, the Tomcat documentation talks
> about one certificate working, and two not working if TYPE is not
> defined.
Hmm, now this has me thinking. If you have a single keystore and want
to advertise both RSA and ECDSA-based server certificates, you'd have
to do:
<SSLHostConfig>
<Certificate type="RSA" certificateKeystoreFile="keystore.jks"
certificateKeyAlias="www.example.com.RSA" />
<Certificate type="EC" certificateKeystoreFile="keystore.jks"
certificateKeyAlias="www.example.com.ECDSA" />
</SSLHostConfig>
If you had more config items like passwords, providers, etc. it would
become even more verbose.
If I were configuring something like this myself, I might like to say
(in English) "this keystore contains everything I need for
www.example.com; load everything and do the right thing". Something
like this:
<SSLHostConfig hostName="example.com">
<Certificates keystore="keystore.jks" />
</SSLHostConfig>
This can work for PEM files, too, and it's how httpd does things: you
just point SSLCertificateFile at a PEM file and it loads everything.
The only (practical) difference between a keystore and a
multi-certificate/key PEM file is that there are no "aliases" in a PEM
file.
Each key knows its own type; there is no need to require the user to
declare the encryption type. We could even use the "hostName" from the
<SSLHostConfig> element to ignore any certificates whose CN/SANs
doesn't/don't match the hostName so we don't get confused if there are
unrelated certificates in the keystore.
I think there is scope to improve things, here.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7OePoACgkQHPApP6U8
pFiUBRAAvaLDHaWBwwe+7Pk42mPeR0VPcFPcMaglTP4vFN23ww3fqLiaDIeyJpFp
bv0cMAd49S2CQhfw9dDIphXAbgtcgHXLHp80dkRtBmiHSwLPZiW0q1eHA5om5jwM
bTvENmQDsa5mZG//0M4PX53em0sGfWddkxLx6siLkJNAaxryuAXEotYvWb8TVe8w
z2Uh+W6kVxLPTDqzKjjkNODtDeZPC+erlIDjfgoZuEGoOkbQ5LG1rEwN4GfqQAt0
yP0eFWChG+HKNn35PqtRSWrvZ/XtTRJYjNbUSQrz4kkcJFwH6if2+6/lEj1F+y0p
Sdl/ZtD8Md+8ozqE+VMm0YoSABB7Kdyq/6PoEpjnV4dsEWlx2RBXlqs/sbN3YB27
ulVIwJS4Wn0p1TwkZP4HL8COiWqnmqdyk8FSBwyzPMmRix+fwp9nlnT9suIMAe8d
tRcF9Q1ovG0KX2raEnV97eQGgyVfEPuUIQXal3n1XL8IaEfegzJpxk4R99hSryC0
sQrM3+AVfGGS/agX9l/GIFkzGc5VvM8pZa2OOj1hPHLAOZRIsGIKlkvduYd+NikU
SprvaStsSgFAL7tDmvuYl8JKBYAFwUScMm6pmpcnisYrm+1lQOw/3vDgk4/erIkJ
xazHHniD2mNZ/Cnwn7Vn5wzF3zrDhsun1VEr1ykQObgPKqH8EAg=
=TciW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org