Chris,
This is the output I have (removed all identifying information :
C:\Windows\system32>"C:\Program
Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -v -list -keystore
C:\SSL\certnew_pfx.pfx -storetype PKCS12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: Jan 2, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Serial number:
Valid from: Fri Dec 23 15:06:53 UTC 2022 until: Sun Dec 22 15:06:53 UTC 2024
Certificate fingerprints:
SHA1: 1A:50:88:EA:A3:32:B2:6B:AA:7A:B9:BE:FC:F7:88:AA:1B:D3:70:1D
SHA256:
74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 18 30 0A 06 08 2B 06 01 05 05 07 03 02 30 0A 0.0...+.......0.
0010: 06 08 2B 06 01 05 05 07 03 01 ..+.......
#2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30 2D 06 25 2B 06 01 04 01 82 37 15 08 9F CA 77 0-.%+.....7....w
0010: 82 92 8A 00 87 85 81 26 87 90 F7 3E 83 CD B8 67 .......&...>...g
0020: 81 3A 83 91 A4 6F AE 93 26 02 01 65 02 01 01 .:...o..&..e...
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName:
,
accessMethod: caIssuers
accessLocation: URIName:
]
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9E E8 BB AF 02 19 D1 DE 3B 5D 84 AD 66 94 FC E1 ........;]..f...
0010: 6D AC 2D F7 m.-.
]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap
]]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName:
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 13 0C DA 4F AF 78 B8 6E DE 2F 29 46 9E 20 E6 ....O.x.n./)F. .
0010: FC F4 5D 36 ..]6
]
]
*******************************************
Thanks,
Veni
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, December 30, 2022 8:39 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Invalid Keystore format error on Tomcat
Veni, On 12/30/22 00: 47, Janardhanan, Veni wrote: > This is the output from C:
> keytool -list -keystore > C: \SSL\certnew_pfx. pfx -storetype PKCS12 (copy
pasted the password as > suggested by you): > > C: \Windows\system32>"C:
\Program
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Veni,
On 12/30/22 00:47, Janardhanan, Veni wrote:
> This is the output from C:> keytool -list -keystore
> C:\SSL\certnew_pfx.pfx -storetype PKCS12 (copy pasted the password as
> suggested by you):
>
> C:\Windows\system32>"C:\Program
> Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -list -keystore
> C:\SSL\certnew_pfx.pfx -storetype PKCS12
>
> Enter keystore password:
>
> Keystore type: PKCS12
>
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> 1, Dec 30, 2022, PrivateKeyEntry,
>
> Certificate fingerprint (SHA-256):
> 74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB
This is ... very strange.
Are you sure that Tomcat is running with the same JVM as your keytool
command? (This really shouldn't matter, but the symptoms you report are
strange indeed so I'm looking for anyting that might explain it.)
Can you run a similar command but with -v and post the results? Please
remove any identifying information such as the hostname/CN/SAN from the
certificate if you don't want to share those.
I'm preimarily interested in information like this:
Certificate fingerprints:
SHA1: ED:BE:F0:43:64:3A:D9:65:36:15:00:51:55:09:9B:67:36:2A:7A:CB
SHA256:
01:B8:6D:AA:FB:78:A8:6F:88:D7:FE:21:15:D6:7D:CF:F5:E3:F5:39:FA:37:A7:D8:BC:79:E2:08:5E:B9:33:DF
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
> Am fine with the email based support.
;)
-chris
> *From:*Christopher Schultz
> <ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>>
> *Sent:* Friday, December 30, 2022 3:47 AM
> *To:* Tomcat Users List
> <users@tomcat.apache.org<mailto:users@tomcat.apache.org>>; Janardhanan, Veni
> <vjanardha...@trueblue.com<mailto:vjanardha...@trueblue.com>>
> *Subject:* Re: Invalid Keystore format error on Tomcat
>
> Veni, On 12/29/22 04: 30, Janardhanan, Veni wrote: > When I start Tomcat
> this is what I see in the logs : (this is after I installed a CA signed
> trusted certificate on Tomcat). I’ve done the CA certificate install
> earlier on a different box
>
> ZjQcmQRYFpfptBannerStart
>
> *This Message Is From an External Sender *
>
> This message came from outside your organization.
>
> ZjQcmQRYFpfptBannerEnd
>
> Veni,
>
> On 12/29/22 04:30, Janardhanan, Veni wrote:
>
>> When I start Tomcat this is what I see in the logs : (this is after I
>> installed a CA signed trusted certificate on Tomcat). I’ve done the CA
>> certificate install earlier on a different box and it worked fine, followed
>> the same steps this time but seems to error out. Any thoughts/suggestions
>> really appreciated. Both were on same versions of Windows on similar
>> environments, no obvious differences at all.
>
>>
>
>> SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
>
>> org.apache.catalina.LifecycleException: Protocol handler initialization
>> failed
>
>> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
>
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
>
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059)
>
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>> at
>> org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>
>> at
>> org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>> at java.lang.reflect.Method.invoke(Method.java:498)
>
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)
>
>> at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>
>> Caused by: java.lang.IllegalArgumentException: Invalid keystore format
>
>> at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
>
>> at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
>
>> at
>> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
>
>> at
>> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
>
>> at
>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
>
>> at
>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
>
>> at
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>
>> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
>
>>
>
>> When I have the self-signed certificate on Tomcat, am able to access my
>> Crystal server’s Admin Console (except that it says ‘site is not secure’).
>> My attempt it to try and secure the server here. The windows box has SAP BO
>> BI 4.3 installed on it and Tomcat is the web server used.
>
>>
>
> Okay. What does this display:
>
> C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12
>
> ?
>
> Copy/paste the password from your certificateKeystorePassword and make
>
> sure there are no complaints.
>
>> Hope this clarifies. If we need to do a screenshare/call, please reac
>
>> out to me.
>
> I'm happy to give email-based support for free, at my convenience. If
>
> you want me to help you and your team debug something in real-time, I
>
> can bill you for my time.
>
> -chris
>
>> From: Christopher Schultz <ch...@christopherschultz.net
>> <mailto:ch...@christopherschultz.net<mailto:ch...@christopherschultz.net%20%3cmailto:ch...@christopherschultz.net>>>
>
>> Sent: Wednesday, December 28, 2022 12:49 AM
>
>> To: users@tomcat.apache.org<mailto:users@tomcat.apache.org>
>> <mailto:users@tomcat.apache.org>
>
>> Subject: Re: Invalid Keystore format error on Tomcat
>
>>
>
>> Veni, On 12/23/22 12: 16, Janardhanan, Veni wrote: > Hi, > > I’ve a
>> self-signed certificate installed on Tomcat 9 which works fine. This is a
>> Crystal Server SAP BO BI 4. 3 box. > To make it secure I installed our CA
>> signed certificate.
>
>> ZjQcmQRYFpfptBannerStart
>
>> This Message Is From an External Sender
>
>> This message came from outside your organization.
>
>> ZjQcmQRYFpfptBannerEnd
>
>>
>
>> Veni,
>
>>
>
>>
>
>>
>
>> On 12/23/22 12:16, Janardhanan, Veni wrote:
>
>>
>
>>> Hi,
>
>>
>
>>>
>
>>
>
>>> I’ve a self-signed certificate installed on Tomcat 9 which works fine. This
>>> is a Crystal Server SAP BO BI 4.3 box.
>
>>
>
>>> To make it secure I installed our CA signed certificate. After a restart I
>>> brought Tomcat up, the logs show ‘Invalid Keystore format’ error.
>
>>
>
>>>
>
>>
>
>>> Below is the config from server.xml.
>
>>
>
>>>
>
>>
>
>>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>
>>
>
>>> compressionMinSize="2048"
>>> URIEncoding="UTF-8" compression="on"
>
>>
>
>>>
>>> certificateKeyAlias="xxxxxxxx.corp.xxxxxxx.com"
>
>>
>
>>>
>>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/javascript,application/json"
>
>>
>
>>> maxThreads="200" scheme="https" secure="true"
>>> SSLEnabled="true">
>
>>
>
>>> <SSLHostConfig>
>
>>
>
>>> <Certificate certificateKeystoreFile="C:/SSL/certnew_pfx.pfx"
>
>>
>
>>>
>>> certificateKeystorePassword="Crystal!@#" keystoreType="PKCS12"
>
>>
>
>>> type="RSA" />
>
>>
>
>>> </SSLHostConfig>
>
>>
>
>>> </Connector>
>
>>
>
>>>
>
>>
>
>>> Please suggest. Am stuck at this point unable to proceed further, any
>>> hints/thoughts highly appreciated!
>
>>
>
>>
>
>>
>
>> I'm sorry, I didn't realize that this was essentially a re-post of your
>
>>
>
>> previous thread with subject "Install CA signed certificate on Tomcat 9".
>
>>
>
>>
>
>>
>
>> I see this was what was in your keystore:
>
>>
>
>>
>
>>
>
>> Your keystore contains 2 entries
>
>>
>
>>
>
>>
>
>> tomcat, Sep 8, 2022, PrivateKeyEntry,
>
>>
>
>> Certificate fingerprint (SHA-256):
>
>>
>
>> 8B:1D:5B:59:86:39:A5:CD:AB:2A:4A:45:13:2B:82:A1:44:CD:8A:E7:20:96:5A:02:0F:73:E3:5A:A6:DB:B6:FD
>
>>
>
>> tomcat1, Sep 29, 2022, trustedCertEntry,
>
>>
>
>> Certificate fingerprint (SHA-256):
>
>>
>
>> 1F:A1:D5:1A:AD:5C:57:6C:B8:90:D8:CA:D1:89:2D:E1:1E:1F:7E:78:D2:19:72:CE:CC:3B:25:03:DE:0F:E1:B6
>
>>
>
>>
>
>>
>
>> On 23 Dec you said "when I access the Central Management Console, the
>
>>
>
>> browser shows site as ‘Not Secure’".
>
>>
>
>>
>
>>
>
>> What is the Central Management Console?
>
>>
>
>>
>
>>
>
>> Is Tomcat able to start without throwing any errors in the log files?
>
>>
>
>>
>
>>
>
>> Are you able to reach the site, but get a browser warning that it's
>
>>
>
>> "insecure"? I just want to make sure we are solving he right problem.
>
>>
>
>>
>
>>
>
>> -chris
>
>>
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To unsubscribe, e-mail:
>> users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org%3cmailto:users-unsubscr...@tomcat.apache.org>
>>
>> <mailto:users-unsubscr...@tomcat.apache.org%3cmailto:users-unsubscr...@tomcat.apache.org>>
>
>>
>
>> For additional commands, e-mail:
>> users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org%3cmailto:users-h...@tomcat.apache.org>
> <mailto:users-h...@tomcat.apache.org%3cmailto:users-h...@tomcat.apache.org>>
>
>>
>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
