java - Configure Tomcat 8.0's SSL using XCA -

i have discovered xca tool manage certificates, keys , on related cryptography or security (check out here ).

so far, i've created self-signed ca certificate, i've signed server , client certificates:

now, want configure tomcat exported files of xca make use of ssl:

<connector                          port="8443"                          protocol="org.apache.coyote.http11.http11aprprotocol"                         maxthreads="150"                          sslenabled="true"                          scheme="https"                          secure="true"                          clientauth="true"                          sslprotocol="tlsv1.2"                          sslverifyclient="require"                          sslciphersuite="all"                          sslcertificatefile="??"                          sslcertificatekeyfile="??"                          sslcertificatechainfile="??"                         sslcacertificatefile="??" /> 

so question comes here: files must export , place them in tomcat connector? (pem, pem certificate chain file, pem trusted certificates, pem certificates...).

thanks help!

edit: i've followed this tutorial set (this guide in spanish). i've tested on firefox, chrome, internet explorer , safari. unique browser in it's working firefox... i'm getting following error: err_cert_invalid

i've realised might causing issue... i've used sha-1 alg make these certificates. i'll repeat process using algorithm.

edit 2 after changing hashing algorithm sha-1 sha-512, nothing has changed...

edit 3 seems chrome, internet explorer or safari more strict firefox on terms of security. i've tried client in java connects web service using https , works fine :).

since using apr connector, correct should using pem files (the other connectors use java keystores). aware "pem file" describes file type , not contents.

you need 2 artifacts tls configured:

1. the server's private key
2. the server's certificate

there ways configure these artifacts in single file, it's bit easier understand if have each 1 in separate file. it's traditional have file called [servername].key key , file called [servername].crt certificate.

it easier verify tls configured first without using client certificates, try first , add client-cert configuration on top of that.

now have these files, ssl-related attribute values obvious:

sslcertificatefile="[servername].crt"  sslcertificatekeyfile="[servername].key"  

you not need either of these attributes set anything:

sslcertificatechainfile sslcacertificatefile 

don't set cipher suite "all"... enable ciphers 0 security. try sslciphersuite="high". you'll want read online bit how configure decent set of cipher suites modern deployment.