>From: owner-openssl-us...@openssl.org On Behalf Of Kevin Jenkins >Sent: Wednesday, 27 March, 2013 01:51
(previously: key&certs setup for Tomcat-apparently-with-APR) >The default server.xml has ><Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> >I'll leave that in since it seems to be what I need Looks good to me. >http://www.digicert.com/ssl-support/pem-ssl-creation.htm talks about >how to concatenate the different chunks of data into one file, with >the .pem extension. I take it this is not necessary. Not for your case as described. That's needed if your cert needs multiple chain certs -- some CA's do; or if you need the server (aka primary) cert in the same file with the chain cert(s) -- some openssl and indeed other apps do, but apparently not Tomcat/APR; or if you want cert and privatekey in the same file -- see below. >Here is what I have so far: ><Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > clientAuth="false" sslProtocol="SSLv3" > SSLCertificateKeyFile="${catalina.base}/conf/privatekey.txt > SSLCertificateFile="${catalina.base}/conf/milestone.lobby3.raknet.com.txt" > SSLCertificateChainFile="${catalina.base}/conf/intermediate.txt" >/> >I notice on this page >http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL%20Support >it says (NOT RECOMMENDED) in the block for SSLCertificateKeyFile. >Why would it not be recommended to use SSLCertificateKeyFile ? What it says is not-recommended is defaulting the privatekey to be in the same file as the cert, i.e. OMITTING SSLCertificateKeyFile. Some people find it convenient to keep cert and key together. Even that is probably overstated. *If* you are copying certs and cert files about a lot, and you use the approach of keeping cert and privatekey in one file, it is easy to make the mistake of copying (a file with) your privatekey when you shouldn't, especially if this is an unencrypted privatekey (which it must be if the party that issued it didn't give you a passphrase). But if you just install key and cert in your server (along with chain) and do nothing else with them, I wouldn't worry either way. >Do I need to download files from OpenSSL for this to work, or do >you know if Tomcat already has built-int what I need? You said Apache >"native" httpd so perhaps I do not? "Native" httpd is a completely different implementation, though it's also a webserver and *similar* in many respects to tomcat. httpd (optionally) uses mod_ssl which uses openssl. tomcat can use Java crypto (JSSE,JCE) or it can use APR and openssl. I can't say for sure because I don't use the actual Apache packaging but instead the Jboss repackaging (into jbossweb and jbossweb-native). But looking more carefully at /tomcat-7.0-doc/apr.html I see it says "Most Linux distributions will ship packages for APR and OpenSSL. The JNI wrapper (libtcnative) will then have to be compiled. It depends on APR, OpenSSL, and the Java headers. <instructions>" (I had forgotten than tcnative is actually a separate shim.) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
