You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Vadim Letitchevski <vl...@teledyne.com> on 2009/12/05 00:26:00 UTC
JSSE question
I am confused. Can Tomcat use only JKS keystore or it can also use pem or some other certificate storages?
Thanks
Vadim.
(310)765-3812
RE: JSSE question
Posted by Vadim Letitchevski <vl...@teledyne.com>.
Thank you Bill.
Vadim.
-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Bill Barker
Sent: Friday, December 04, 2009 7:25 PM
To: users@tomcat.apache.org
Subject: Re: JSSE question
"Vadim Letitchevski" <vl...@teledyne.com> wrote in message news:E17DA276F9A0C84FAD22739DE29C389005DAFC3613@ENTMAIL01.tad.teledyne.com...
>I am confused. Can Tomcat use only JKS keystore or it can also use pem
>or some other certificate storages?
>
In the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html),
it shows how to use a PKCS12 keystore. At some point that should be updated to include an example for using a PKCS11 keystore.
The actual answer is that the JSSE Connector can use any keystore format that is supported by your Java vendor. In particular, with the Sun JVM, you can't use PEM (however the APR Connector does use PEM). However, it is usually pretty easy to convert PEM to PKCS12 (see the link above for an example).
>
> Thanks
> Vadim.
> (310)765-3812
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by Vadim Letitchevski <vl...@teledyne.com>.
Thanks. I will try it.
Vadim.
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Tuesday, December 08, 2009 1:57 PM
To: Tomcat Users List
Cc: Vadim Letitchevski
Subject: Re: JSSE question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vadim,
On 12/7/2009 1:25 PM, Vadim Letitchevski wrote:
> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey
> /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat
> -CAfile /etc/pki/tls/cacert.pem -caname root -chain
>
> I have used the password changeit.
Note that you have created certificate in PKCS12 format, not a keystore.
You now need to take the next step in the SSL HOWTO which is to use the Java 'keytool' utility to create a keystore.
> Next I have edited server.xml to have these strings:
>
> <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
> <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
> keystoreFile="conf/mycert.p12" keystorePass="changeit"
If you are going to use the PKCS12 (.p12) format, you will probably have to set keystoreType="PKCS12". Check the documentation for the SSL-specific <Connector> attributes again.
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" />
>
> <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
> <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
> keystoreFile="conf/mycert.p12" keystorePass="changeit"
> truststoreFile="conf/mycert.p12" truststorePass="changeit"
Although I don't think it will hurt to have both, your keystore and truststore aren't the same thing. Check the documentation for these two attributes. Again, you may need to use truststoreType="PKCS12" if you want to use your .p12 file.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksey6YACgkQ9CaO5/Lv0PBwWQCgj6T+m87bL49GXvON7dzIaklo
S74AnRnYM6IIuo8pMQe/bDAaSbwocXzg
=k45M
-----END PGP SIGNATURE-----
Re: JSSE question
Posted by Bill Barker <bi...@verizon.net>.
"Christopher Schultz" <ch...@christopherschultz.net> wrote in message
news:4B1ECBA6.1030509@christopherschultz.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Vadim,
>
> On 12/7/2009 1:25 PM, Vadim Letitchevski wrote:
>> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey
>> /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile
>> /etc/pki/tls/cacert.pem -caname root -chain
>>
>> I have used the password changeit.
>
> Note that you have created certificate in PKCS12 format, not a keystore.
> You now need to take the next step in the SSL HOWTO which is to use the
> Java 'keytool' utility to create a keystore.
>
Yes, the documentation in the SSL HOWTO is somewhat confusing :(. There are
actually two separate examples there (one for PKCS12 and one for JKS), but
it isn't very clear from reading the doc where one ends and the other
begins. For PKCS12 you are done after creating the .p12 file (except for
the undocumented part about adding the keystoreType to the <Connector />).
If anybody wants to take a crack at cleaning this up (with bonus points for
adding a PKCS11 example), patches are always welcome.
>> Next I have edited server.xml to have these strings:
>>
>> <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
>> <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
>> keystoreFile="conf/mycert.p12" keystorePass="changeit"
>
> If you are going to use the PKCS12 (.p12) format, you will probably have
> to set keystoreType="PKCS12". Check the documentation for the
> SSL-specific <Connector> attributes again.
>
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> scheme="https" secure="true"
>> clientAuth="false" sslProtocol="TLS" />
>>
>> <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
>> <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
>> keystoreFile="conf/mycert.p12" keystorePass="changeit"
>> truststoreFile="conf/mycert.p12" truststorePass="changeit"
>
> Although I don't think it will hurt to have both, your keystore and
> truststore aren't the same thing. Check the documentation for these two
> attributes. Again, you may need to use truststoreType="PKCS12" if you
> want to use your .p12 file.
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAksey6YACgkQ9CaO5/Lv0PBwWQCgj6T+m87bL49GXvON7dzIaklo
> S74AnRnYM6IIuo8pMQe/bDAaSbwocXzg
> =k45M
> -----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JSSE question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vadim,
On 12/7/2009 1:25 PM, Vadim Letitchevski wrote:
> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile /etc/pki/tls/cacert.pem -caname root -chain
>
> I have used the password changeit.
Note that you have created certificate in PKCS12 format, not a keystore.
You now need to take the next step in the SSL HOWTO which is to use the
Java 'keytool' utility to create a keystore.
> Next I have edited server.xml to have these strings:
>
> <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
> <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
> keystoreFile="conf/mycert.p12" keystorePass="changeit"
If you are going to use the PKCS12 (.p12) format, you will probably have
to set keystoreType="PKCS12". Check the documentation for the
SSL-specific <Connector> attributes again.
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" />
>
> <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
> <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
> keystoreFile="conf/mycert.p12" keystorePass="changeit"
> truststoreFile="conf/mycert.p12" truststorePass="changeit"
Although I don't think it will hurt to have both, your keystore and
truststore aren't the same thing. Check the documentation for these two
attributes. Again, you may need to use truststoreType="PKCS12" if you
want to use your .p12 file.
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksey6YACgkQ9CaO5/Lv0PBwWQCgj6T+m87bL49GXvON7dzIaklo
S74AnRnYM6IIuo8pMQe/bDAaSbwocXzg
=k45M
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by Felix Schumacher <fe...@internetallee.de>.
Am Montag, den 07.12.2009, 10:25 -0800 schrieb Vadim Letitchevski:
> Bill.
>
> I have followed the recommendations in that document but did not succeed.
> So I have a set of self-generated (using OpenSSL) credentials. OpenSSL server and client work fine (connect) using these credentials with authentication both ways.
> Following the instructions in (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) I have done:
>
> openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile /etc/pki/tls/cacert.pem -caname root -chain
>
> I have used the password changeit.
>
> Next I have edited server.xml to have these strings:
>
> <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
> <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
> keystoreFile="conf/mycert.p12" keystorePass="changeit"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" />
try to add
keystoreType="pkcs12" truststoreType="pkcs12"
the default values for these are JKS. Look at
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html at section SSL
support.
>
> <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
> <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
> keystoreFile="conf/mycert.p12" keystorePass="changeit"
> truststoreFile="conf/mycert.p12" truststorePass="changeit"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> scheme="https" secure="true"
> clientAuth="true" sslProtocol="TLS" />
same here.
bye
Felix
>
> Then I started server and used Firefox trying to open https://localhost:8442 or https:/localhost:8443 with no success (failed to connect page).
> Catalina log file shows "java.io.exception: Invalid keystore format."
> What have I done wrong?
>
> Thanks
> Vadim.
>
> -----Original Message-----
> From: news [mailto:news@ger.gmane.org] On Behalf Of Bill Barker
> Sent: Friday, December 04, 2009 7:25 PM
> To: users@tomcat.apache.org
> Subject: Re: JSSE question
>
>
> "Vadim Letitchevski" <vl...@teledyne.com> wrote in message news:E17DA276F9A0C84FAD22739DE29C389005DAFC3613@ENTMAIL01.tad.teledyne.com...
> >I am confused. Can Tomcat use only JKS keystore or it can also use pem
> >or some other certificate storages?
> >
>
> In the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html),
> it shows how to use a PKCS12 keystore. At some point that should be updated to include an example for using a PKCS11 keystore.
>
> The actual answer is that the JSSE Connector can use any keystore format that is supported by your Java vendor. In particular, with the Sun JVM, you can't use PEM (however the APR Connector does use PEM). However, it is usually pretty easy to convert PEM to PKCS12 (see the link above for an example).
>
> >
> > Thanks
> > Vadim.
> > (310)765-3812
> >
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by Vadim Letitchevski <vl...@teledyne.com>.
Thanks again Chuck. Unfortunately Bill's suggestion did not work or I did something wrong.
Thanks
Vadim.
(310)765-3812
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, December 07, 2009 11:23 AM
To: Tomcat Users List
Subject: RE: JSSE question
> From: Vadim Letitchevski [mailto:vletitchevski@teledyne.com]
> Subject: RE: JSSE question
>
> I checked the log file and it states that APR library was not found.
O.k., good to know that. Ignore the pointer to the APR configuration that I gave you and go back to the original one Bill B pointed you to.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Vadim Letitchevski [mailto:vletitchevski@teledyne.com]
> Subject: RE: JSSE question
>
> I checked the log file and it states that APR library was not found.
O.k., good to know that. Ignore the pointer to the APR configuration that I gave you and go back to the original one Bill B pointed you to.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by Vadim Letitchevski <vl...@teledyne.com>.
Hi Chuck.
Thank you for your quick response. It makes it really interactive. I checked the log file and it states that APR library was not found.
I am using the binary distribution 6.0.20 from the Tomcat website on CentOS 5.
Thanks
Vadim.
(310)765-3812
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, December 07, 2009 11:12 AM
To: Tomcat Users List
Subject: RE: JSSE question
> From: Vadim Letitchevski [mailto:vletitchevski@teledyne.com]
> Subject: RE: JSSE question
>
> I have noticed the strings
> <!--APR library loader. Documentation at /docs/apr.html -->
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
> In my server.xml.
The presence of the listener does not necessarily mean you're using APR. If you have a libtcnative .dll or .so file in your bin directory, you should be using APR; you can verify this in the Tomcat logs, which will record that APR is being used, but does *not* display any particular message if APR is not being used.
Only set your <Connector> for APR if you really are using APR.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Vadim Letitchevski [mailto:vletitchevski@teledyne.com]
> Subject: RE: JSSE question
>
> I have noticed the strings
> <!--APR library loader. Documentation at /docs/apr.html -->
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
> In my server.xml.
The presence of the listener does not necessarily mean you're using APR. If you have a libtcnative .dll or .so file in your bin directory, you should be using APR; you can verify this in the Tomcat logs, which will record that APR is being used, but does *not* display any particular message if APR is not being used.
Only set your <Connector> for APR if you really are using APR.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by Vadim Letitchevski <vl...@teledyne.com>.
Hi Chuck
It does not help either. You are probably right about APR, I have noticed the strings
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
In my server.xml.
So following the document you suggested I have changed my server.xml (see attached) and copied pem forkat files localhost.crt and localhost.key from their default locations to conf folder.
So now the Tomcat does not recognize the keystore format. If I had to use pkcs12 certificate which I have exported before then what key file should I use? Should I also export it into pkcs12? How?
Thanks
Vadim.
(310)765-3812
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: Monday, December 07, 2009 10:30 AM
To: Tomcat Users List
Subject: RE: JSSE question
> From: Vadim Letitchevski [mailto:vletitchevski@teledyne.com]
> Subject: RE: JSSE question
>
> I have followed the recommendations in that document but did not
> succeed.
Are you using APR with Tomcat? If so, the proper doc is here:
http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Vadim Letitchevski [mailto:vletitchevski@teledyne.com]
> Subject: RE: JSSE question
>
> I have followed the recommendations in that document but did not
> succeed.
Are you using APR with Tomcat? If so, the proper doc is here:
http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: JSSE question
Posted by Vadim Letitchevski <vl...@teledyne.com>.
Bill.
I have followed the recommendations in that document but did not succeed.
So I have a set of self-generated (using OpenSSL) credentials. OpenSSL server and client work fine (connect) using these credentials with authentication both ways.
Following the instructions in (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) I have done:
openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key -out mycert.p12 -name tomcat -CAfile /etc/pki/tls/cacert.pem -caname root -chain
I have used the password changeit.
Next I have edited server.xml to have these strings:
<!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
<Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
keystoreFile="conf/mycert.p12" keystorePass="changeit"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
<!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
keystoreFile="conf/mycert.p12" keystorePass="changeit"
truststoreFile="conf/mycert.p12" truststorePass="changeit"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" />
Then I started server and used Firefox trying to open https://localhost:8442 or https:/localhost:8443 with no success (failed to connect page).
Catalina log file shows "java.io.exception: Invalid keystore format."
What have I done wrong?
Thanks
Vadim.
-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Bill Barker
Sent: Friday, December 04, 2009 7:25 PM
To: users@tomcat.apache.org
Subject: Re: JSSE question
"Vadim Letitchevski" <vl...@teledyne.com> wrote in message news:E17DA276F9A0C84FAD22739DE29C389005DAFC3613@ENTMAIL01.tad.teledyne.com...
>I am confused. Can Tomcat use only JKS keystore or it can also use pem
>or some other certificate storages?
>
In the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html),
it shows how to use a PKCS12 keystore. At some point that should be updated to include an example for using a PKCS11 keystore.
The actual answer is that the JSSE Connector can use any keystore format that is supported by your Java vendor. In particular, with the Sun JVM, you can't use PEM (however the APR Connector does use PEM). However, it is usually pretty easy to convert PEM to PKCS12 (see the link above for an example).
>
> Thanks
> Vadim.
> (310)765-3812
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: JSSE question
Posted by Bill Barker <bi...@verizon.net>.
"Vadim Letitchevski" <vl...@teledyne.com> wrote in message
news:E17DA276F9A0C84FAD22739DE29C389005DAFC3613@ENTMAIL01.tad.teledyne.com...
>I am confused. Can Tomcat use only JKS keystore or it can also use pem or
>some other certificate storages?
>
In the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html),
it shows how to use a PKCS12 keystore. At some point that should be updated
to include an example for using a PKCS11 keystore.
The actual answer is that the JSSE Connector can use any keystore format
that is supported by your Java vendor. In particular, with the Sun JVM, you
can't use PEM (however the APR Connector does use PEM). However, it is
usually pretty easy to convert PEM to PKCS12 (see the link above for an
example).
>
> Thanks
> Vadim.
> (310)765-3812
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org