On Thu, Mar 28, 2019 at 5:05 PM Mark Thomas <ma...@apache.org> wrote:
> On 28/03/2019 17:18, Ethan Jensen wrote: > > On Thu, Mar 28, 2019 at 11:11 AM Mark Thomas <ma...@apache.org> wrote: > > <snip/> > > >> Can you post the header of your private key file? It should look > >> something like: > >> > >> -----BEGIN RSA PRIVATE KEY----- > >> Proc-Type: 4,ENCRYPTED > >> DEK-Info: AES-256-CBC,D02DE734A8C2DBA625FC4180E7AECC78 > >> > >> Thanks, > >> > >> Mark > >> > >> > > Here you are: > > > > Bag Attributes > > localKeyID: 14 A3 77 23 14 44 3E 99 FD 7D A4 BE C3 4C 10 D0 DD 5A DA > 0B > > friendlyName: mydomain.com > > Key Attributes: <No Attributes> > > -----BEGIN ENCRYPTED PRIVATE KEY----- > > Bingo. That is a PKCS#8 format file that OpenSSL understands but JSSE > does not. The fix I had in mind does work. Now I understand why the > problem occurred and can confirm that the fix works I'll apply it for > the next release. A a workaround you can convert that private key to > PKCS#1 format. > > Mark > > Mark, I can confirm that this does work! I converted the key and when starting up Tomcat am greeted with this message in the log: ... 29-Mar-2019 14:43:30.865 INFO [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [conf/tls_config/20200411/star_mydomain_com.pem] or its private key [conf/tls_config/20200411/star_mydomain_com.key] could not be processed using a JSSE key manager and will be given directly to OpenSSL ... For future reference, can you share how you determined the key was in a PKCS#8 format? I had tried to ascertain that ahead of time, but didn't see anything readily identifiable (to me), though I'm not terribly familiar with particular key formats and perhaps it was just a recognition thing (for you). Thanks, Mark! Appreciate the assistance. -- Ethan
