-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I've been trying to convert an OpenSSL-generated key and certificate
into a keystore for use with Tomcat. I had given up on this months ago
and now I'm resuming my attempts.
What I've done so far:
1. Created an RSA private key using openssl
2. Created a certificate request using openssl
3. Obtained a signed certificate from a CA
4. Attempted to combine my key and certificate into a PKCS12 file
using openssl:
$ openssl pkcs12 -export -in ${HOSTNAME}.crt \
-inkey ${HOSTNAME}.key > ${HOSTNAME}.p12
5. Import the PKCS12 store into a Java keystore using keytool:
$ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
-destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
This is what my keytool now says is in the store:
$ keytool -list -keystore conf/${HOSTNAME}.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
1, May 1, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5):
EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
I set the password for the Java keystore to "changeit". Now, in Tomcat:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
keystorePass="changeit"
URIEncoding="UTF-8"
sslProtocol="SSL"
SSLEnabled="true"
scheme="https"
secure="true"
/>
(Note that ${HOSTNAME}.jks has been expanded in my actual server.xml
file.)
Here's what happens when I launch Tomcat:
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
59)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813
)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at
sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at
sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at
sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at
com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at
com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan
agerFactoryImpl.java:48)
at
javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
actory.java:560)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
actory.java:489)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP
rotocol.java:119)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more
Have I missed a step somewhere? I know that I'll probably need to
import the CA's intermediate certificate at some point, but that
shouldn't be necessary, yet.
I tried using Portecle, but Portecle can't seem to read my OpenSSL key
in the first place. Perhaps I have to convert to PKCS12 format first?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYmC6AAoJEBzwKT+lPKRYQI0P/R0zPaErMOGUm+AVDspptCHx
IokL3ndEvPvfJ80l5chRFGGEQ0xI6etrgLmrvfwpjSgmMy7YkBYkFrjIUVO7xf3Y
ETJIV+YZY1YV0ungDU2ogoUOw3lVmYeDs5ocWbJ2MTJN3nkE7qXu6EWlPxrUJKzY
tMipZZyPKax0AWunyCttMBC7LkKWYF+zYexSN88cIl/8FvoPIB4cawxvppijjsUu
qC/lpW6ldWvtbadCnEIxlhcBencHgAPyFEL/hoElelgh/0t4mzM06DKAKJM9Jziy
XpDOWpncJDoV4rfbs23XOD2xeatZ2O4oFMFUyvYtLTIY9wpGA1tUtFSL3rDC6RPS
fJxMi+9cBISU6IDlZdSNx25iaCGt8Bs0/fJgpSVAOdw72vkLmBqHObgV69A8XH8t
Ph22EoVuLjP9NLVA+ydtA70ipCAebi9Ol/bF5JtUmqSkSjXfckDB0kDcQ+Kb+MRC
VRuqpqOjOsNEb7rY7GOFgvIYZ+uU0q1zZ6RzRt/4fGoBXXI9uW7LwK0QI6MGRu74
T+Tg4wkSt7NtEssa5hKRWXOCulICQFAbqdxeEwiRiBn47hH7tsRYsh4vmta7f8+q
Ff7NRPr7HnCB0V1UpbVac83o8dXWqqMhxwtRDJXqiJsMRNmM+WLHuv8rEc1qtzCr
ubiOTOFCusMXtRXsessh
=xqs9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
