Excellent. I’ll look at it when I get home. I don’t do this for a living anymore and I’m a bit rusty.
-- This space intentionally left blank. > On Jan 3, 2018, at 11:33 AM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Paul, > >> On 12/30/17 8:35 PM, Paul Beard wrote: >> I have a freshly installed and running tomcat7 instance with nginx >> but I would like to use the signed cert that I use with nginx for >> tomcat as well. I can’t make out how that works. Lots of HOWTOs on >> getting a LetsEncrypt cert but not about using an existing one. It >> looks like something to do with keytool importing a cert to it’s >> keystore but I can’t figure out what wants/where it is. > > Have a look at my presentation from ApacheCon: > > http://people.apache.org/~schultz/ApacheCon%20NA%202017/Let%27s%20Encryp > t%20Apache%20Tomcat.pdf > > In there, I detail how to put everything together. There is a script > that builds a Java keystore that Tomcat can use. That script > demonstrates how to take an existing key+certificate+chain, convert it > into a Java keystore and then make it active. The script actually > requests a renewal of the certificate from Let's Encrypt (which may > say "no renewal required") and then only re-builds the keystore if the > key/cert have actually changed. > > I think that should be all you need. > > Some of the information is out-of-date and doesn't mention Tomcat 8.5+ > which can (a) use PEM-encoded DER files (instead of Java keystores... > the same kind of files that e.g. certbot produces) and (b) can re-load > TLS configuration if it changes. > > Hope that helps, > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlpNMBsdHGNocmlzQGNo > cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFhgUg/+KSvOQOte3LZI+9Fi > KZS008hDu7gntlL4sTXH1+WIPIuq4AjpCxV8NXAe5jAnWTJxne5id2bB4f71jilr > gQkwKSWRHlPHGbB/b7jsFtm/CH5oZIB1XCc7qeLLU+1XQVZwUHwn4GdrZ3ExQH1+ > T53WiYM3JhYifPmW8BFsBU/oGfx+PTrv1r9AeKwXTZlUdQn4XuQYyHChi8Cftmg5 > d8vuSMDMIMWGxPT8ONdTrWUe9H+JxEoVHlvIKFTsI4ePHo6ezfJ51H5qigJSYfrD > hoURWTD61x5JtsoK135lQuhRP4J7QN6giMEcYWJbxeeqddOQvh3hIiel413bYlcp > 3jICUzm7BbzmIoT2hzqm33zVN5eXOdd3Lt2SUjig577ht3XBJbUx8WEQGGcyd5/9 > H6oclp8Adzq8sPQW64b7Ekjw5q5M47TaQirZ7/97oT50za8KoMftpVgK/BBWXfIA > uU6jARIkuA33+71C0+JamnldLve/k+oOSczCnnxtTT8k4/etaSwYOlZcq/I0vl5n > 8osv3PD14Aa2lXcnhStLYbxdUh8CTE1fWk+4ECjkANin1BPKaIStieWBJBDWaiyx > 7nelijodTdjEgqSYsSys0RRHcAWNuxvS1NSigPuO49lcz9S65i9ffi3f37REv6xu > 2pdZG7yW25i7T20hsxAxYi8OZBM= > =1vE5 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
