Am 2020-07-11 um 23:52 schrieb Valentin:
Hello,
I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
use a certificate located in *cert:LocalMachine\My*
I mention that I am an administrator of this machine.
This certificate is also used by IIS.
What I did was to configure my server.xml file like this :
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keyAlias="myserver.domain.com"
keystoreFile=""
keystorePass=""
keystoreType="Windows-My"
clientAuth="false" sslProtocol="TLS" />
The error I got in tomcat logs was that the keyAlias doesn't exist but I
used the CN mentioned in the description of my certificate.
Is it possible for tomcat to use the windows certificate store ?
The only link I found about this was :
https://bz.apache.org/bugzilla/show_bug.cgi?id=56021
I have used Windows-MY several times now with HttpClient, curl and
OpenSSL. The native Crypto API of the Windows Cert Store provides
several name formats for the key alias.
First of all, set CAPI_TRACE env var to see more output.
Native does this:
https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/jdk/src/windows/native/sun/security/mscapi/security.cpp#L561-L563
CERT_NAME_FRIENDLY_DISPLAY_TYPE (fallback CERT_NAME_SIMPLE_DISPLAY_TYPE)
from
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetnamestringa
My recommendation is to write the simplest code, open Windows-MY iterate
over all keys, print keys and then you will know what these display
names are. The DNS name you use is obviously not the right one since it
had to be CERT_NAME_DNS_TYPE.
Good luck,
Michael
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
