Re: Invalid Keystore format error on Tomcat

Fri, 30 Dec 2022 07:08:58 -0800 

Veni,

On 12/30/22 00:47, Janardhanan, Veni wrote:
This is the output from C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12 (copy pasted the password as suggested by you): 


C:\Windows\system32>"C:\Program 
Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -list -keystore 
C:\SSL\certnew_pfx.pfx -storetype PKCS12


Enter keystore password:

Keystore type: PKCS12

Keystore provider: SUN

Your keystore contains 1 entry

1, Dec 30, 2022, PrivateKeyEntry,


Certificate fingerprint (SHA-256): 
74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB


This is ... very strange.


Are you sure that Tomcat is running with the same JVM as your keytool 
command? (This really shouldn't matter, but the symptoms you report are 
strange indeed so I'm looking for anyting that might explain it.)



Can you run a similar command but with -v and post the results? Please 
remove any identifying information such as the hostname/CN/SAN from the 
certificate if you don't want to share those.


I'm preimarily interested in information like this:

Certificate fingerprints:
         SHA1: ED:BE:F0:43:64:3A:D9:65:36:15:00:51:55:09:9B:67:36:2A:7A:CB

         SHA256: 
01:B8:6D:AA:FB:78:A8:6F:88:D7:FE:21:15:D6:7D:CF:F5:E3:F5:39:FA:37:A7:D8:BC:79:E2:08:5E:B9:33:DF

Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key

> Am fine with the email based support.

;)

-chris


*From:*Christopher Schultz <ch...@christopherschultz.net>
*Sent:* Friday, December 30, 2022 3:47 AM

*To:* Tomcat Users List <users@tomcat.apache.org>; Janardhanan, Veni 
<vjanardha...@trueblue.com>

*Subject:* Re: Invalid Keystore format error on Tomcat


Veni, On 12/29/22 04: 30, Janardhanan, Veni wrote: > When I start Tomcat 
this is what I see in the logs : (this is after I installed a CA signed 
trusted certificate on Tomcat). I’ve done the CA certificate install 
earlier on a different box


ZjQcmQRYFpfptBannerStart

*This Message Is From an External Sender *

This message came from outside your organization.

ZjQcmQRYFpfptBannerEnd

Veni,

On 12/29/22 04:30, Janardhanan, Veni wrote:


When I start Tomcat this is what I see in the logs : (this is after I installed 
a CA signed trusted certificate on Tomcat). I’ve done the CA certificate 
install earlier on a different box and it worked fine, followed the same steps 
this time but seems to error out. Any thoughts/suggestions really appreciated. 
Both were on same versions of Windows on similar environments, no obvious 
differences at all.







SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]



org.apache.catalina.LifecycleException: Protocol handler initialization failed



                at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:983)



                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)



                at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)



                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)



                at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059)



                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)



                at org.apache.catalina.startup.Catalina.load(Catalina.java:584)



                at org.apache.catalina.startup.Catalina.load(Catalina.java:607)



                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)



                at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)



                at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)



                at java.lang.reflect.Method.invoke(Method.java:498)



                at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)



                at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)



Caused by: java.lang.IllegalArgumentException: Invalid keystore format



                at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)



                at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)



                at 
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)



                at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)



                at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)



                at 
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)



                at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)



                at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)







When I have the self-signed certificate on Tomcat, am able to access my Crystal 
server’s Admin Console (except that it says ‘site is not secure’). My attempt 
it to try and secure the server here. The windows box has SAP BO BI 4.3 
installed on it and Tomcat is the web server used.






Okay. What does this display:

C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12

?

Copy/paste the password from your certificateKeystorePassword and make

sure there are no complaints.


Hope this clarifies. If we need to do a screenshare/call, please reac



out to me.


I'm happy to give email-based support for free, at my convenience. If

you want me to help you and your team debug something in real-time, I

can bill you for my time.

-chris


From: Christopher Schultz <ch...@christopherschultz.net 
<mailto:ch...@christopherschultz.net>>



Sent: Wednesday, December 28, 2022 12:49 AM



To: users@tomcat.apache.org <mailto:users@tomcat.apache.org>



Subject: Re: Invalid Keystore format error on Tomcat







Veni, On 12/23/22 12: 16, Janardhanan, Veni wrote: > Hi, > > I’ve a self-signed 
certificate installed on Tomcat 9 which works fine. This is a Crystal Server SAP BO BI 4. 3 
box. > To make it secure I installed our CA signed certificate. 



ZjQcmQRYFpfptBannerStart



This Message Is From an External Sender



This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd







Veni,















On 12/23/22 12:16, Janardhanan, Veni wrote:







Hi,















I’ve a self-signed certificate installed on Tomcat 9 which works fine. This is 
a Crystal Server SAP BO BI 4.3 box.







To make it secure I installed our CA signed certificate. After a restart I 
brought Tomcat up, the logs show ‘Invalid Keystore format’ error.















Below is the config from server.xml.















<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"







                                              compressionMinSize="2048" 
URIEncoding="UTF-8" compression="on"







                                              
certificateKeyAlias="xxxxxxxx.corp.xxxxxxx.com"







                                
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/javascript,application/json"







               maxThreads="200" scheme="https" secure="true" SSLEnabled="true">







           <SSLHostConfig>







               <Certificate certificateKeystoreFile="C:/SSL/certnew_pfx.pfx"







                                                             
certificateKeystorePassword="Crystal!@#" keystoreType="PKCS12"







                            type="RSA" />







           </SSLHostConfig>







       </Connector>















Please suggest. Am stuck at this point unable to proceed further, any 
hints/thoughts highly appreciated!















I'm sorry, I didn't realize that this was essentially a re-post of your







previous thread with subject "Install CA signed certificate on Tomcat 9".















I see this was what was in your keystore:















Your keystore contains 2 entries















tomcat, Sep 8, 2022, PrivateKeyEntry,







Certificate fingerprint (SHA-256):







8B:1D:5B:59:86:39:A5:CD:AB:2A:4A:45:13:2B:82:A1:44:CD:8A:E7:20:96:5A:02:0F:73:E3:5A:A6:DB:B6:FD







tomcat1, Sep 29, 2022, trustedCertEntry,







Certificate fingerprint (SHA-256):







1F:A1:D5:1A:AD:5C:57:6C:B8:90:D8:CA:D1:89:2D:E1:1E:1F:7E:78:D2:19:72:CE:CC:3B:25:03:DE:0F:E1:B6















On 23 Dec you said "when I access the Central Management Console, the







browser shows site as ‘Not Secure’".















What is the Central Management Console?















Is Tomcat able to start without throwing any errors in the log files?















Are you able to reach the site, but get a browser warning that it's







"insecure"? I just want to make sure we are solving he right problem.















-chris















---------------------------------------------------------------------







To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org 
<mailto:users-unsubscr...@tomcat.apache.org%3cmailto:users-unsubscr...@tomcat.apache.org>>







For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org 

<mailto:users-h...@tomcat.apache.org%3cmailto:users-h...@tomcat.apache.org>>











---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to