Referring to the documentation on Apache Tomcat 9 Configuration Reference (9.0.87) - The HTTP Connector<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Key_store_types> keystore types, i wanted to get mentioned that a new set of possibilities is available with newer java builds, when using Tomcat in a Windows environment.
As mentioned on the OpenJDK bug tracker: https://bugs.openjdk.org/browse/JDK-8286790 The Windows KeyStore support in the SunMSCAPI provider has been expanded to include access to the local machine location. The new keystore types are: Windows-MY-LOCALMACHINE Windows-ROOT-LOCALMACHINE The following keystore types were also added, allowing developers to make it clear they map to the current user: Windows-MY-CURRENTUSER (same as "Windows-MY") Windows-ROOT-CURRENTUSER (same as "Windows-ROOT") Alongside other configurations possible on the server side, web certificates can be automatically published, renewed and managed with a company's internal Active Directory CA. The account running the Tomcat Windows Service needs local Administrator rights to be able to refernce these certificate stores. With this enabled, and setting the server.xml Connector like shown below can make certificate management a lot easier. <Connector name="whatever_name" port="443" protocol="HTTP/1.1" connectionTimeout="20000" URIEncoding="UTF-8" SSLEnabled="true" maxThreads="1500" scheme="https" secure="true" clientAuth="false" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2+TLSv1.3" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" keyAlias="${COMPUTERNAME}.my.domain.org" keystoreFile="" keystoreType="Windows-MY-LOCALMACHINE" keystorePass="" truststoreFile="" truststoreType="Windows-ROOT-LOCALMACHINE" truststorePass="" enableLookups="true" /> the use of a predefined Environment Variable for the system name, possible when using also this setting in catalina.properties: #GPO Managed restricted file: TESTING #allow_System ENVVar Usage org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource makes it easier to maintain a common server.xml file through tools like GPO. Could it be useful to somehow document this, as it does make our WIndows admin life easier!! *************************************************************** Consider the environment before printing this message. To read the Companies' Information and Confidentiality Notice, follow this link: https://www.autoliv.com/autoliv-email-disclaimer ***************************************************************