Hi Chris, This is the output from C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12 (copy pasted the password as suggested by you) :
C:\Windows\system32>"C:\Program Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SUN Your keystore contains 1 entry 1, Dec 30, 2022, PrivateKeyEntry, Certificate fingerprint (SHA-256): 74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB Am fine with the email based support. Thank you, Veni From: Christopher Schultz <ch...@christopherschultz.net> Sent: Friday, December 30, 2022 3:47 AM To: Tomcat Users List <users@tomcat.apache.org>; Janardhanan, Veni <vjanardha...@trueblue.com> Subject: Re: Invalid Keystore format error on Tomcat Veni, On 12/29/22 04: 30, Janardhanan, Veni wrote: > When I start Tomcat this is what I see in the logs : (this is after I installed a CA signed trusted certificate on Tomcat). I’ve done the CA certificate install earlier on a different box ZjQcmQRYFpfptBannerStart This Message Is From an External Sender This message came from outside your organization. ZjQcmQRYFpfptBannerEnd Veni, On 12/29/22 04:30, Janardhanan, Veni wrote: > When I start Tomcat this is what I see in the logs : (this is after I > installed a CA signed trusted certificate on Tomcat). I’ve done the CA > certificate install earlier on a different box and it worked fine, followed > the same steps this time but seems to error out. Any thoughts/suggestions > really appreciated. Both were on same versions of Windows on similar > environments, no obvious differences at all. > > SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Protocol handler initialization failed > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:983) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:533) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059) > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > at org.apache.catalina.startup.Catalina.load(Catalina.java:584) > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304) > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474) > Caused by: java.lang.IllegalArgumentException: Invalid keystore format > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) > at > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137) > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74) > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > > When I have the self-signed certificate on Tomcat, am able to access my > Crystal server’s Admin Console (except that it says ‘site is not secure’). My > attempt it to try and secure the server here. The windows box has SAP BO BI > 4.3 installed on it and Tomcat is the web server used. > Okay. What does this display: C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12 ? Copy/paste the password from your certificateKeystorePassword and make sure there are no complaints. > Hope this clarifies. If we need to do a screenshare/call, please reac > out to me. I'm happy to give email-based support for free, at my convenience. If you want me to help you and your team debug something in real-time, I can bill you for my time. -chris > From: Christopher Schultz > <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> > Sent: Wednesday, December 28, 2022 12:49 AM > To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> > Subject: Re: Invalid Keystore format error on Tomcat > > Veni, On 12/23/22 12: 16, Janardhanan, Veni wrote: > Hi, > > I’ve a > self-signed certificate installed on Tomcat 9 which works fine. This is a > Crystal Server SAP BO BI 4. 3 box. > To make it secure I installed our CA > signed certificate. > ZjQcmQRYFpfptBannerStart > This Message Is From an External Sender > This message came from outside your organization. > ZjQcmQRYFpfptBannerEnd > > Veni, > > > > On 12/23/22 12:16, Janardhanan, Veni wrote: > >> Hi, > >> > >> I’ve a self-signed certificate installed on Tomcat 9 which works fine. This >> is a Crystal Server SAP BO BI 4.3 box. > >> To make it secure I installed our CA signed certificate. After a restart I >> brought Tomcat up, the logs show ‘Invalid Keystore format’ error. > >> > >> Below is the config from server.xml. > >> > >> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" > >> compressionMinSize="2048" >> URIEncoding="UTF-8" compression="on" > >> >> certificateKeyAlias="xxxxxxxx.corp.xxxxxxx.com" > >> >> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/javascript,application/json" > >> maxThreads="200" scheme="https" secure="true" >> SSLEnabled="true"> > >> <SSLHostConfig> > >> <Certificate certificateKeystoreFile="C:/SSL/certnew_pfx.pfx" > >> >> certificateKeystorePassword="Crystal!@#" keystoreType="PKCS12" > >> type="RSA" /> > >> </SSLHostConfig> > >> </Connector> > >> > >> Please suggest. Am stuck at this point unable to proceed further, any >> hints/thoughts highly appreciated! > > > > I'm sorry, I didn't realize that this was essentially a re-post of your > > previous thread with subject "Install CA signed certificate on Tomcat 9". > > > > I see this was what was in your keystore: > > > > Your keystore contains 2 entries > > > > tomcat, Sep 8, 2022, PrivateKeyEntry, > > Certificate fingerprint (SHA-256): > > 8B:1D:5B:59:86:39:A5:CD:AB:2A:4A:45:13:2B:82:A1:44:CD:8A:E7:20:96:5A:02:0F:73:E3:5A:A6:DB:B6:FD > > tomcat1, Sep 29, 2022, trustedCertEntry, > > Certificate fingerprint (SHA-256): > > 1F:A1:D5:1A:AD:5C:57:6C:B8:90:D8:CA:D1:89:2D:E1:1E:1F:7E:78:D2:19:72:CE:CC:3B:25:03:DE:0F:E1:B6 > > > > On 23 Dec you said "when I access the Central Management Console, the > > browser shows site as ‘Not Secure’". > > > > What is the Central Management Console? > > > > Is Tomcat able to start without throwing any errors in the log files? > > > > Are you able to reach the site, but get a browser warning that it's > > "insecure"? I just want to make sure we are solving he right problem. > > > > -chris > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: > users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org%3cmailto:users-unsubscr...@tomcat.apache.org>> > > For additional commands, e-mail: > users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org%3cmailto:users-h...@tomcat.apache.org>> > >
