On May 1, 2014, at 7:56 AM, Christopher Schultz <ch...@christopherschultz.net>
wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I've been trying to convert an OpenSSL-generated key and certificate
> into a keystore for use with Tomcat. I had given up on this months ago
> and now I'm resuming my attempts.
>
> What I've done so far:
>
> 1. Created an RSA private key using openssl
> 2. Created a certificate request using openssl
> 3. Obtained a signed certificate from a CA
> 4. Attempted to combine my key and certificate into a PKCS12 file
> using openssl:
>
> $ openssl pkcs12 -export -in ${HOSTNAME}.crt \
> -inkey ${HOSTNAME}.key > ${HOSTNAME}.p12
>
> 5. Import the PKCS12 store into a Java keystore using keytool:
>
> $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
> -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
>
> This is what my keytool now says is in the store:
>
> $ keytool -list -keystore conf/${HOSTNAME}.jks
> Enter keystore password:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> 1, May 1, 2014, PrivateKeyEntry,
> Certificate fingerprint (MD5):
> EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
>
> I set the password for the Java keystore to "changeit". Now, in Tomcat:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
> keystorePass=“changeit"
Have you tried setting keyAlias and keyPass?
Dan
> URIEncoding="UTF-8"
> sslProtocol="SSL"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> />
>
> (Note that ${HOSTNAME}.jks has been expanded in my actual server.xml
> file.)
>
> Here's what happens when I launch Tomcat:
>
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
> 59)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813
> )
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
> )
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
> .java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> ... 12 more
>
>
> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> at
> sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
> at
> sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
> at
> sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
> at java.security.KeyStore.getKey(KeyStore.java:763)
> at
> com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
> at
> com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan
> agerFactoryImpl.java:48)
> at
> javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> actory.java:560)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> actory.java:489)
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
> at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP
> rotocol.java:119)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
> ... 13 more
>
> Have I missed a step somewhere? I know that I'll probably need to
> import the CA's intermediate certificate at some point, but that
> shouldn't be necessary, yet.
>
> I tried using Portecle, but Portecle can't seem to read my OpenSSL key
> in the first place. Perhaps I have to convert to PKCS12 format first?
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYmC6AAoJEBzwKT+lPKRYQI0P/R0zPaErMOGUm+AVDspptCHx
> IokL3ndEvPvfJ80l5chRFGGEQ0xI6etrgLmrvfwpjSgmMy7YkBYkFrjIUVO7xf3Y
> ETJIV+YZY1YV0ungDU2ogoUOw3lVmYeDs5ocWbJ2MTJN3nkE7qXu6EWlPxrUJKzY
> tMipZZyPKax0AWunyCttMBC7LkKWYF+zYexSN88cIl/8FvoPIB4cawxvppijjsUu
> qC/lpW6ldWvtbadCnEIxlhcBencHgAPyFEL/hoElelgh/0t4mzM06DKAKJM9Jziy
> XpDOWpncJDoV4rfbs23XOD2xeatZ2O4oFMFUyvYtLTIY9wpGA1tUtFSL3rDC6RPS
> fJxMi+9cBISU6IDlZdSNx25iaCGt8Bs0/fJgpSVAOdw72vkLmBqHObgV69A8XH8t
> Ph22EoVuLjP9NLVA+ydtA70ipCAebi9Ol/bF5JtUmqSkSjXfckDB0kDcQ+Kb+MRC
> VRuqpqOjOsNEb7rY7GOFgvIYZ+uU0q1zZ6RzRt/4fGoBXXI9uW7LwK0QI6MGRu74
> T+Tg4wkSt7NtEssa5hKRWXOCulICQFAbqdxeEwiRiBn47hH7tsRYsh4vmta7f8+q
> Ff7NRPr7HnCB0V1UpbVac83o8dXWqqMhxwtRDJXqiJsMRNmM+WLHuv8rEc1qtzCr
> ubiOTOFCusMXtRXsessh
> =xqs9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
