Paul,
On 2/9/22 13:41, paul....@stgconsulting.com wrote:
Could someone point me to a how to SSL configuration using cert and key
generated using MS AD Cert server for internal use?
Assuming that "MS AD Cert Server" generates normal X.509 certificates,
it shouldn't matter that you are using that particular tool.
What format is your certificate in once created? Note that you'll need
both the private key and the certificate. If MS AD Cert Server doesn't
trust you with the private keys, then you won't be able to use that tool.
I have attempted to follow examples in Tomcat docs, as well as examples
found through internet searches.
I have attempted various configurations using either
http11.Http11NioProtocol, or org.apache.coyote.http11.Http11AprProtocol
connectors.
You shouldn't have to specify any specific connector. The defaults
should be enough.
I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.
I get a variety of different error messages.
I think we can be pretty agnostic for particular approach.
Am happy to provide the configurations I’ve tried and the resulting
error messages.
I thought it might be better if I first was able to obtain an example.
It seems like it might be better than listing all configurations and
errors. But am happy to do that as well.
These command should generate a key + certificate you should be able to use:
$ openssl ecparam -name prime256v1 -genkey -out server.key
$ openssl req -new -x509 -nodes -sha512 -key server.key -out server.crt
-days 365
This will create an Elliptic-Curve key, unencrypted, and then generate a
self-signed certificate using that key. Enter whatever you want when
OpenSSL asks you all those questions, but the "CN" (or "Common Name")
should be the hostname of the server you are configuring. For a real
site, you'll want to make sure that the Subject Alternative Name (SAN)
fields are specified correctly so browsers don't complain (these days,
CN is essentially ignored and SAN is essentially required).
Anyhow, now you have two files. Configure your <Connector>:
<Connector port="8443" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateFile="server.crt"
certificateKeyFile="server.key" />
</SSLHostConfig>
</Connector>
This should be enough to get you started.
If the above doesn't work, please post whatever errors you get.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org