Chris,
Appreciate your guidance.
Will post errors, if there are any.
Best
Paul
-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Thursday, February 10, 2022 1:15 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat 9.0.56 Windows - Assistance with using cert and key
generated using MS AD Cert Server for internal use
Paul,
On 2/9/22 13:41, paul....@stgconsulting.com wrote:
> Could someone point me to a how to SSL configuration using cert and
> key generated using MS AD Cert server for internal use?
Assuming that "MS AD Cert Server" generates normal X.509 certificates, it
shouldn't matter that you are using that particular tool.
What format is your certificate in once created? Note that you'll need both
the private key and the certificate. If MS AD Cert Server doesn't trust you
with the private keys, then you won't be able to use that tool.
> I have attempted to follow examples in Tomcat docs, as well as
> examples found through internet searches.
>
> I have attempted various configurations using either
> http11.Http11NioProtocol, or
> org.apache.coyote.http11.Http11AprProtocol
> connectors.
You shouldn't have to specify any specific connector. The defaults should be
enough.
> I have attempted this with OpenSSL and tcnative, using JSSE or OpenSSL.
>
> I get a variety of different error messages.
>
> I think we can be pretty agnostic for particular approach.
>
> Am happy to provide the configurations I've tried and the resulting
> error messages.
>
> I thought it might be better if I first was able to obtain an example.
>
> It seems like it might be better than listing all configurations and
> errors. But am happy to do that as well.
These command should generate a key + certificate you should be able to use:
$ openssl ecparam -name prime256v1 -genkey -out server.key $ openssl req
-new -x509 -nodes -sha512 -key server.key -out server.crt -days 365
This will create an Elliptic-Curve key, unencrypted, and then generate a
self-signed certificate using that key. Enter whatever you want when OpenSSL
asks you all those questions, but the "CN" (or "Common Name") should be the
hostname of the server you are configuring. For a real site, you'll want to
make sure that the Subject Alternative Name (SAN) fields are specified
correctly so browsers don't complain (these days, CN is essentially ignored
and SAN is essentially required).
Anyhow, now you have two files. Configure your <Connector>:
<Connector port="8443" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig>
<Certificate certificateFile="server.crt"
certificateKeyFile="server.key" />
</SSLHostConfig>
</Connector>
This should be enough to get you started.
If the above doesn't work, please post whatever errors you get.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
