I will argue that you can use self-signed certificates in production if and
only if you own and fully control both servers engaged in transaction as well
as all of the connection fabric between the servers. If these conditions are
true and someone can execute a man-in-middle attack, I will assert that your
environment are already so compromised the attack is almost meaningless. On the
other hand, using a self-signed certificate with an expiry of greater than 398
days in a situation as this means that you can free up people's time to do
other work other than maintaining a hidden certificate. And setting up
automation to renew said certificate such as this, adds an increased level of
complexity as well as an additional point of failure to the equation.
Darryl Baker, GSEC (he/him/his)
Sr. System Administrator
Distributed Application Platform Services
Northwestern University
1800 Sherman Ave.
Suite 6-600 – Box #39
Evanston, IL 60201-3715
darryl.ba...@northwestern.edu
(847) 467-6674
On 8/28/20, 7:47 PM, "Daniel Savard" <daniel.sav...@gmail.com> wrote:
Le ven. 28 août 2020 à 17:19, Darryl Philip Baker <
darryl.ba...@northwestern.edu> a écrit :
> I am having an issue that I don’t understand. On RHEL6/CentOS and earlier
> my predecessors would put self-signed certificates they wanted to trust in
> /etc/pki/ca-trust/extracted/java/cacerts and it was good for the life of
> the machine. On RHEL7 and I assume CentOS7 that file is part of a package
> that is getting updated as part of the regular patches. That wipes out our
> self-signed certificates. The way I understand the directions from Red Hat
> we should put the certificate in pem format in the directory
> /etc/pki/ca-trust/source/anchors and run update-ca-trust extract and that
> will update the all the appropriate files. Including the cacerts file.
That
> does not seem to happen. What is the proper way of handling self-signed
> certificates you want tomcat to trust?
>
> Off topic but you are folks who might know:
> On a related note I have the same issue with Java applications not running
> in Tomcat that use the same file /etc/pki….java/cacerts. Am I
understanding
> the PKI update process correctly? Am I putting the self-signed certificate
> pem format file in the correct place?
>
> Darryl Baker, GSEC (he/him/his)
> Sr. System Administrator
> (...)
>
>
You can put your certificates and truststore wherever you want as long as
you tell Tomcat where they are in the conf/server.xml configuration file
when you configure the connector using them. Self-signed certificates
should never be used on a production server, they are not secure. It is up
to you to handle the certificates when they expire unless you have some
other automated way to renew them. Normally, the cacerts file distributed
with Java is a JKS formatted trust store and the certificates it contains
will eventually expire. That's why when Java is updated you may get an
updated cacerts file as well. If you put your own certificates in that file
and it gets updated when Java is updated, obviously you will lost your
certificates. Just make a copy and put your certificates in the copy. In
fact, you may not need the original file at all if only self-signed
certificates are involved. All the certifications authorities in the file
are then useless to you.
Regards,
-----------------
Daniel Savard
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
