Rob,
On 1/22/21 15:21, Rob Sargent wrote:
For completeness, I must admit that I was unable to use PKCS12 files. I
had to use JKS format.
I copied and transformed my cacerts files as per keytool recommendation:
keytool -importkeystore -srckeystore
/usr/lib/jvm/java-15-oracle/lib/security/cacerts -destkeystore
/tmp/key/cacerts.pkcs12 -deststoretype pkcs12
Then add tomcat's localhost key
keytool -importkeystore -srckeystore localhost-rsa-key.pem
-srcstoretype pkcs12 -destkeystore /tmp/key/cacerts.pkcs12
-deststoretype pkcs12 -srcalias tomcat -destalias tomcat
keytool error: java.io.IOException: toDerInputStream rejects tag
type 45
You are telling keytool to read-in localhost-rsa-key.pem as a PKCS12
file, which is most likely wrong. You don't want to import a keystore,
you want to import a key. Unfortunately, keytool doesn't allow that. But
openssl does:
$ openssl pkcs12 -export -in localhost-rsa.crt -inkey
localhost-rsa-key.pem -certfile CA-intermediate.crt -out localhost.p12
-chain
Now you can import that keystore into your cacerts file:
$ keytool -importkeystore -srckeystore localhost.p12
-srcstoretype pkcs12 -destkeystore /tmp/key/cacerts.pkcs12
-deststoretype pkcs12 -srcalias tomcat -destalias tomcat
Try to get the alias from the .pems
keytool -list -keystore localhost-rsa-cert.pem -storetype pkcs12
keytool error: java.io.IOException: toDerInputStream rejects tag
type 67
keytool -list -keystore localhost-rsa-key.pem -storetype pkcs12
keytool error: java.io.IOException: toDerInputStream rejects tag
type 45
I'm certainly doing something wrong, but I'm sticking with JKS for now.
PEM files aren't keystores, so keytool can do almost nothing with them.
You cam import a PEM certificate, but not its key (directly).
Why are you copying everything from the JVM's cacerts file into your
keystore? Maybe I'm confused about what you are trying to do.
Most people just want to mint a key+cert and have Tomcat use that for
TLS. You can do that very simply:
$ keytool -genkey -keyalg RSA -sigalg SHA256withRSA -keysize 4096 -alias
${HOSTNAME} -keystore ${HOSTNAME}.p12 -storetype PKCS12 -ext
san=dns:${HOSTNAME}
Fill-out all the stuff. This gives you a new RSA key and a self-signed
certificate. If self-signed is okay with you, you are done.
If you want to have that signed by a CA, then you:
$ keytool -certreq -alias ${HOSTNAME} -file ${HOSTNAME}.csr -keystore
${HOSTNAME}.p12 -storetype PKCS12
Now you have a CSR in ${HOSTNAME}.csr. Send it to your CA For signature.
Now import their signed cert into your keystore:
(CA's root first, if necessary)
$ keytool -import -alias [Authority.CA] -trustcacerts -file [authority's
CA cert] -keystore ${HOSTNAME}.jks
(CA's intermediate, if necessary)
$ keytool -import -alias [Authority.intermediate] -trustcacerts -file
[authority's intermediate cert] -keystore ${HOSTNAME}.jks
(Finally, your server's newly-signed cert)
$ keytool -import -alias ${HOSTNAME} -file ${HOSTNAME}.crt -keystore
${HOSTNAME}.jks
Configure localhost.p12 as your keystore in <Certificate> and you should
be done.
There is no need to merge-in the JVM's trust store into your server's
key store.
Even better, if you like working with PEM files better (I do!), you
don't every have to run keytool or use a PKCS12 or JKS file. Just use
the PEM file in:
<Certificate type="RSA"
certicicateKeyFile=".key file goes here"
certificateFile=".crt file goes here" />
Hope that helps,
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
