Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Valintin, On 7/11/20 17:52, Valentin wrote: > Hello, > > I try to configure my tomcat 9.0.37 installed on a windows server > 2016 to use a certificate located in *cert:LocalMachine\My* > > I mention that I am an administrator of this machine. This > certificate is also used by IIS. > > What I did was to configure my server.xml file like this : > > protocol="org.apache.coyote.http11.Http11NioProtocol" > SSLEnabled="true" maxThreads="150" scheme="https" secure="true" > keyAlias="myserver.domain.com" keystoreFile="" keystorePass="" > keystoreType="Windows-My" clientAuth="false" sslProtocol="TLS" /> > > The error I got in tomcat logs was that the keyAlias doesn't exist > but I used the CN mentioned in the description of my certificate. > > Is it possible for tomcat to use the windows certificate store ? > The only link I found about this was : > https://bz.apache.org/bugzilla/show_bug.cgi?id=56021 What user is the Tomcat process running as? Windows-MY is a user-specific keystore, and LocalAccess or whatever user is being used probably has a different Windows-MY keystore than the "Valintin" user (the login you are logged-in as). - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8M2zUACgkQHPApP6U8 pFinHA//bdiEo0qRrjc8cFWY99yRm2BTlOUJ6/6kC4yPjBVOBuaP20S0nx8lxSvz cyRyH6xhgSAjtdRAA+uUdlmZ5oU7P7q15L9a+InNHqL0crr8xlmlwGIT/jXIA5iQ E+c2sXYYi+HCLNp2rA/OC8DTA7XI6SI+pQS7kXkEA2gJ1b2BEwJ5qPfLKVq9LzfC r2b2vfWoPXkAxbKslM7dgY2rdQg0Z2UIcmmHfUGsFraa0JEXm7FSw1E6vQQzwvFs rECltE6v/QKLd/sCkuMQ7l7/WFWlcGwKna0IRApYEaTF66+0DKTOLtRzXORZgsbg bH4rKqfEt1/DGGC0m6UMT2vz2CpETVaKx9D0dy9CB9kkbsjyCZTLwzznFkTSjedZ dRDZXU8bfN3l/Iwzsc3zlQLkGpGyhbrHNc2EFFpI087VvyvibGLNWTrgFbGJ8mm1 F3eDjCerfK7CI70x/yxvr8FKpCNCBKyrpqQoj+V58aSBmFHzBaKiZgyExgVwVtp+ PLQC4MvKTxSRoYRRJ1OLrSKTw9zEmVZDJIbMaJeWiJFfrC9ti7nLL3uOPkwqyb2j 4t7HadblRcl8ytGRkyB66vMHaGDCR1BsPnlOmruid3MCWwU+Xh2joSDeku8YP92d Sh9uLm6bK9xc4//RTVMyIwytCWw/zRfT4hK3habjGRYRIJWR/7w= =pUGV -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store
Am 2020-07-11 um 23:52 schrieb Valentin: Hello, I try to configure my tomcat 9.0.37 installed on a windows server 2016 to use a certificate located in *cert:LocalMachine\My* I mention that I am an administrator of this machine. This certificate is also used by IIS. What I did was to configure my server.xml file like this : The error I got in tomcat logs was that the keyAlias doesn't exist but I used the CN mentioned in the description of my certificate. Is it possible for tomcat to use the windows certificate store ? The only link I found about this was : https://bz.apache.org/bugzilla/show_bug.cgi?id=56021 I have used Windows-MY several times now with HttpClient, curl and OpenSSL. The native Crypto API of the Windows Cert Store provides several name formats for the key alias. First of all, set CAPI_TRACE env var to see more output. Native does this: https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/jdk/src/windows/native/sun/security/mscapi/security.cpp#L561-L563 CERT_NAME_FRIENDLY_DISPLAY_TYPE (fallback CERT_NAME_SIMPLE_DISPLAY_TYPE) from https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetnamestringa My recommendation is to write the simplest code, open Windows-MY iterate over all keys, print keys and then you will know what these display names are. The DNS name you use is obviously not the right one since it had to be CERT_NAME_DNS_TYPE. Good luck, Michael - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store
Le sam. 11 juil. 2020 à 17:52, Valentin a écrit : > Hello, > > I try to configure my tomcat 9.0.37 installed on a windows server 2016 to > use a certificate located in *cert:LocalMachine\My* > > I mention that I am an administrator of this machine. > This certificate is also used by IIS. > > What I did was to configure my server.xml file like this : > > protocol="org.apache.coyote.http11.Http11NioProtocol" >SSLEnabled="true" >maxThreads="150" scheme="https" secure="true" >keyAlias="myserver.domain.com" >keystoreFile="" >keystorePass="" >keystoreType="Windows-My" >clientAuth="false" sslProtocol="TLS" /> > > The error I got in tomcat logs was that the keyAlias doesn't exist but I > used the CN mentioned in the description of my certificate. > > Is it possible for tomcat to use the windows certificate store ? > The only link I found about this was : > https://bz.apache.org/bugzilla/show_bug.cgi?id=56021 > > Thanks for your help > > Valentin.M > In documentation: http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore "Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores." Windows local certificates are stored in the Windows registry. https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores Since IIS is a Windows-only product, this is the simple thing for them to do. Tomcat runs on various platforms and should support open and neutral keystore formats instead. - Daniel Savard