https, http2 and pfx certificates, Tomcat configuration

[joben]

Was troubleshooting something and thought switching from http 1.1 to http2 would solve the specific problem. It didn't, but It might still be useful for someone else to be able to serve content as http2 when using https. We have been using .pfx files as our certificates, and most documentation of Tomcat stuff is always about pem and chain files. The Tomcat documentation is not as good as I had wished, and there is no proper testing command for Tomcat that I know of (like nginx -T).

So after some trial and error, this is how we combined .pfx certificates and http2 configuration:

http2pfx.png (48.94 KiB) Viewed 26167 times

[Jaymer]

thats cool.
There's a ton of examples out there for Tomcat and certs, and everyone seems to do it a different way. Frustrating.
Don't know if this is bad or less secure, but
i stopped messing with the keystore this way:

tomcat_certs.png (24.77 KiB) Viewed 26160 times

[joben]

The main reason for us to use .pfx is because our certs are initially created inside IIS on a different server, then they are exported as .pfx files and used in various servers.
Pretty sure it is possible for us to do the trinity thing (key, bundle, cert) like in your configuration, but I am afraid it would involve some extra steps in our case. I just thought the Tomcat documentation was lacking a bit, so hopefully some pfx fanboys out there can use this code snippet.