On 6 April 2017 at 00:42, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Lyllax, > > On 4/4/17 3:11 PM, Lyallex wrote: >> After some sterling support from this list a while ago which >> included a code change I have been successfully running Apache >> Tomcat 7.0.70 stand alone (no httpd front end) with SSL/TLS for a >> year now without problems, it just works, it never falls over and >> it has withstood some concerted attacks by all sorts of scallywags. >> Impressive. > > Great! Time to upgrade to Tomcat 8! It's really not bad at all. If you > have a testing environment, I think you'll be able to do it in about > 30 minutes. After you do it once, it'll take you more like 5 minutes.
Already runnung on my dev and stage boxes <snip> > It should be that simple every time. Again, always keep a backup... All I do is create a brand new keystore in a new location and do everything from there When I'm happy I simply change the location of the keystore in the relevant connector in conf/server.xml and restart tomcat. If it all goes belly up I simply change the config to point to the old keystore. Of course this only works if you don't leave everything to the last minute and the old cert times out :-) <snip> > > When you are using PEM files, it's very clear what everything is, and, > if you have a one-PEM-file-to-rule-them-all, then you can at least see > everything labelled appropriately with a simple text editor. You can > also get your private key out of the bundle without resorting to > chicanery. I get a zipped archive from Comodo containing individual files but I'll look into pem files > Come to this year's ApacheCon NA in Miami. There will be a few talks > about TLS, including one on the basics and another one on using Let's > Encrypt to get free automated certs so you never have to manually do > this process ever again -- unless you want an EV cert ;) Love to, but I'm in the UK. I delegate payment to a service provider, the only external resource I use, so I don't store users financial data, just makes life simpler.and means I don't really need an EV cert. Despite their vehement denial, https is a ranking signal to Google, maybe it would be nice if they offered a free basic ssl cert so small businesses like mine don't have to pay over GBP 100 inc VAT every year. I won't hold my breath. Thanks for taling the time to reply Lyallex --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org