Chris I'll be happy to accept your challenge to try to write some documentation for the site from a newbee's point of view. It will be on the slow side as my 'day job' will interfere somewhat. It also will require some correction of errors.
Don On Wed, Nov 29, 2017 at 9:37 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Don, > > On 11/28/17 4:55 PM, Don Flinn wrote: > >>> In fact, I think you are using PEM-encoded DER files and not a > >>> packaged keystore, even though your SSLHostConfig's > >>> keystoreType is set to "PKCS12". > > > > Yes, I am using PEM files. Got to read more on DER files. > > PEM is an encoding, while DER is really the file format. It's like > saying "is this file text/plain or UTF-8?" > > This is a great read for almost anyone who cares about x509 certificates > : > > https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-ce > r-vs-pem-certificates-and-how-to-convert-them > > > So do I just drop the keystoreType="PKCS12" from the connector? > Theoretically, yes. The keystoreType is only used when there is a > keystore and not "certificate files", etc. > > >> If there's anything inaccurate on the Tomcat site > > > > No, I was talking about other sites, not the Tomcat site. I've > > been reading all over the internet for that which seems related. > > My statement was a caution to not believe everything you read. > > 'Trust but verify' > > Mark has given a number of presentations on TLS and they are very > accessible. Have a look at the slides (and some audio/video) on the > "presentations" page on the Tomcat site. Each of them has a varying > level of "introductoryness", but I think the more recent ones like > "Introduction to Tomcat and TLS" from TomcatCon in Miami are probably > the best ones to see for beginners. > > > Your e-mail has been very helpful, not only to me, but I believe > > to others. With respect to the Tomcat site, I think a lot of what > > you wrote would be very helpful there. For example, the Tomcat > > write up on SSL describes how to do self signed certificates and > > fleetingly mentions that if you have a certificate from a CA that > > you could use e.g. openssl and then refers the reader to their java > > documentation and openssl documentation. Not too helpful to the > > security/Tomcat novice. > > Agreed. Would you care to write some new documentation and/or prepare > a patch for the site? IT's usually best when beginners write for their > own audience. I, for example, understand it backwards and forwards so > when I write I have a skewed perspective. Writing as a beginner can > re-focus the narrative for a different audience. > > If you need any help grabbing the site from svn, etc. please just ask. > > > Thanks for your patience and help. > > You are more important than the software. No, really: > https://blogs.apache.org/foundation/entry/asf_15_community_over_code > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAloexiYdHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiY1Q//SLRGAzEuc2QzyvK9 > svCG+s0HKA1QY+ubtdmoy+czFtm1b857uQ6L0Zo8KCp+edzYvTyd7iupGjPngEqr > 5B9qRV3bcu3jsvMUcXEFe779MjjKsSX+m0jF8/9A1RtOvtEqqemlC6Q5AVuSZZUf > usSrTjXV2XyVlEtv0J5Rw+hMtLUpRwppg1LKAX5ZflHdhA1Zdq+TH6NSbLQlPr1z > WRzpLuOfSpt6Cnx2Kfqcwgop0EqCyPFcIqC3o2V+ONDQh4Z7FOdUNn70O03ympDg > fRMZbo8o0mX6RyjSk0nDFEfXLv2lafPoOrE5OUMvnuN4bZ472Jpq3nDtl0ZwYSIy > IcjXnfw+NUNTcIkJVz0K009/K/U8U4O4NBm5IBW4uFa2yapx717pB8H/Fmr6LvEr > FuIZG6wODc7YtN3kqbHR8J/3N1n3q6SM3CXyyjfazN0Kur0e4FOIE5WagzZTwQSm > K7LJsuIu84sVEShPcTB2CvTsaawJQj7clCM+eZngejuvuxSiwiC0u0zWKfoPDD8Z > bbXY69RJ0F1iKw7rgj+tr1KOxoNaDyHV8ys7CKinuG32hb37qzntygLrGZ0ZPOQZ > pUTuSsm1Zn/Zd/3oLWIhXJ9UZA5OfwhYYt6YwaTo4JYLhB1IsiVl9qqdzo2CQLIY > UHuG7kdiTBEig/ej+/RBOLZSI0k= > =6iU6 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
