On 13/01/2020 14:20, Peter Rader wrote: >>> I recently moved from T8 to T9 to use PKI. >> >> Exact versions? > > T8 = 8.5.50.0 on amazon-corretto-8.232.09.1-linux-x64 > T9 = 9.0.30.0 on amazon-corretto-8.232.09.1-linux-x64 > >> >>> My keystore contains multiple CAs. >>> >>> I had to modify the ssl-connector from >>> org.apache.coyote.http11.Http11Protocol >>> to >>> org.apache.coyote.http11.Http11NioProtocol >> >> Full Connector configurations (with sensitive data masked)? > > TC8= > <Connector port="443" keyAlias="XXX" > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" > secure="true" SSLEnabled="true" keystoreFile="XXXX" keystorePass="XXXXX" > sslProtocol="TLS" clientAuth="want" truststoreFile="XXXX" > truststorePass="XXXXX" /> > > TC9= > <Connector port="443" keyAlias="XXX" > protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" > secure="true" SSLEnabled="true" keystoreFile="XXXX" keystorePass="XXXXX" > sslProtocol="TLS" clientAuth="want" truststoreFile="XXXX" > truststorePass="XXXXX" />
This is not possible. The first configuration is for the BIO connector. This connector was not present in 8.5.x. Might you have been using 8.0.x? keyAlias should still work in 9.0.x. It might be case-sensitive. Do you have the Tomcat Native library installed and configured? The extra plumbing we have added to allow users to swap seamlessly between JSSE and OpenSSL has created a few bugs. If you can re-create the issue with a set of test keys and certificates that you can share with the developers, we can take a closer look. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org