On 29/03/2019 18:52, Ethan Jensen wrote: > On Thu, Mar 28, 2019 at 5:05 PM Mark Thomas <ma...@apache.org> wrote: > >> On 28/03/2019 17:18, Ethan Jensen wrote: >>> On Thu, Mar 28, 2019 at 11:11 AM Mark Thomas <ma...@apache.org> wrote: >> >> <snip/> >> >>>> Can you post the header of your private key file? It should look >>>> something like: >>>> >>>> -----BEGIN RSA PRIVATE KEY----- >>>> Proc-Type: 4,ENCRYPTED >>>> DEK-Info: AES-256-CBC,D02DE734A8C2DBA625FC4180E7AECC78 >>>> >>>> Thanks, >>>> >>>> Mark >>>> >>>> >>> Here you are: >>> >>> Bag Attributes >>> localKeyID: 14 A3 77 23 14 44 3E 99 FD 7D A4 BE C3 4C 10 D0 DD 5A DA >> 0B >>> friendlyName: mydomain.com >>> Key Attributes: <No Attributes> >>> -----BEGIN ENCRYPTED PRIVATE KEY----- >> >> Bingo. That is a PKCS#8 format file that OpenSSL understands but JSSE >> does not. The fix I had in mind does work. Now I understand why the >> problem occurred and can confirm that the fix works I'll apply it for >> the next release. A a workaround you can convert that private key to >> PKCS#1 format. >> >> Mark >> >> > Mark, > > I can confirm that this does work! I converted the key and when starting > up Tomcat am greeted with this message in the log: > > ... > 29-Mar-2019 14:43:30.865 INFO [main] > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The > certificate [conf/tls_config/20200411/star_mydomain_com.pem] or its private > key [conf/tls_config/20200411/star_mydomain_com.key] could not be processed > using a JSSE key manager and will be given directly to OpenSSL > ... > > For future reference, can you share how you determined the key was in a > PKCS#8 format? I had tried to ascertain that ahead of time, but didn't see > anything readily identifiable (to me), though I'm not terribly familiar > with particular key formats and perhaps it was just a recognition thing > (for you).
I googled for "-----BEGIN ENCRYPTED PRIVATE KEY-----" Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
