Re: Tomcat 9.0.56 Windows - Assistance with using cert and key generated using MS AD Cert Server for internal use

[Christopher Schultz]

Paul,

On 2/9/22 13:41, paul....@stgconsulting.com wrote:
Could someone point me to a how to SSL configuration using cert and key 
generated using MS AD Cert server for internal use?

Assuming that "MS AD Cert Server" generates normal X.509 certificates, 
it shouldn't matter that you are using that particular tool.

What format is your certificate in once created? Note that you'll need 
both the private key and the certificate. If MS AD Cert Server doesn't 
trust you with the private keys, then you won't be able to use that tool.

I have attempted to follow examples in Tomcat docs, as well as examples 
found through internet searches.

I have attempted various configurations using either 
http11.Http11NioProtocol, or org.apache.coyote.http11.Http11AprProtocol 
connectors.

You shouldn't have to specify any specific connector. The defaults 
should be enough.

I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.

I get a variety of different error messages.

I think we can be pretty agnostic for particular approach.

Am happy to provide the configurations I’ve tried and the resulting 
error messages.

I thought it might be better if I first was able to obtain an example.

It seems like it might be better than listing all configurations and 
errors. But am happy to do that as well.

These command should generate a key + certificate you should be able to use:

$ openssl ecparam -name prime256v1 -genkey -out server.key
$ openssl req -new -x509 -nodes -sha512 -key server.key -out server.crt 
-days 365

This will create an Elliptic-Curve key, unencrypted, and then generate a 
self-signed certificate using that key. Enter whatever you want when 
OpenSSL asks you all those questions, but the "CN" (or "Common Name") 
should be the hostname of the server you are configuring. For a real 
site, you'll want to make sure that the Subject Alternative Name (SAN) 
fields are specified correctly so browsers don't complain (these days, 
CN is essentially ignored and SAN is essentially required).

Anyhow, now you have two files. Configure your <Connector>:

<Connector port="8443" SSLEnabled="true" scheme="https" secure="true">
  <SSLHostConfig>
    <Certificate certificateFile="server.crt" 
certificateKeyFile="server.key" />
  </SSLHostConfig>
</Connector>

This should be enough to get you started.

If the above doesn't work, please post whatever errors you get.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org