Configure Tomcat 8.0's SSL using XCA

Question

I have recently discovered XCA tool to manage certificates, keys and so on related to cryptography or security (check it out here ).

So far, I've created a self-signed CA certificate, with which I've signed my server and client certificates:

Now, what I want to do is configure Tomcat with the exported files of XCA so as to make use of SSL:

<Connector 
                        port="8443" 
                        protocol="org.apache.coyote.http11.Http11AprProtocol"
                        maxThreads="150" 
                        SSLEnabled="true" 
                        scheme="https" 
                        secure="true" 
                        clientAuth="true" 
                        sslProtocol="TLSv1.2" 
                        SSLVerifyClient="require" 
                        SSLCipherSuite="ALL" 
                        SSLCertificateFile="??" 
                        SSLCertificateKeyFile="??" 
                        SSLCertificateChainFile="??"
                        SSLCACertificateFile="??" />

So my question comes here: which files must I export and where to place them in the Tomcat Connector? (PEM, pem with certificate chain file, pem with all trusted certificates, pem with all certificates...).

Thanks for your help!

EDIT: I've followed this tutorial to set all up (this guide is in spanish). I've tested it on Firefox, Chrome, Internet Explorer and Safari. The unique browser in which it's working is Firefox... I'm getting the following error: ERR_CERT_INVALID

I've realised what might be causing this issue... I've used sometimes SHA-1 alg to make these certificates. I'll repeat the process using another algorithm.

EDIT 2 After changing the hashing algorithm from SHA-1 to SHA-512, nothing has changed...

EDIT 3 It seems that Chrome, Internet Explorer or Safari are more strict than Firefox on terms of security. I've tried a client in Java which connects to my web service using HTTPS and works fine :).

Answer 1

Since you are using the APR connector, you are correct that you should be using PEM files (the other connectors use Java keystores). Just be aware that a "PEM file" just describes the file type and not its contents.

You will need two artifacts to get TLS configured:

1. The server's private key
2. The server's certificate

There are ways to configure these artifacts in a single file, but it's a bit easier to understand if you have each one in a separate file. It's somewhat traditional to have a file called [servername].key for the key and another file called [servername].crt for the certificate.

It will be easier to verify that TLS is configured properly first without using client certificates, so try that first and then add the client-cert configuration on top of that.

Now that you have these files, the SSL-related attribute values are somewhat obvious:

SSLCertificateFile="[servername].crt" 
SSLCertificateKeyFile="[servername].key" 

You will not need either of these attributes to be set to anything:

SSLCertificateChainFile
SSLCACertificateFile

Don't set the cipher suite to "ALL"... that will enable ciphers with essentially zero security. Try something like SSLCipherSuite="HIGH" . You'll want to read online a bit about how to configure a decent set of cipher suites for a modern deployment.