Re: Invalid Keystore format error on Tomcat

[Christopher Schultz]

Veni,

On 1/2/23 12:20, Janardhanan, Veni wrote:
Chris,
This is the output I have (removed all identifying information :

C:\Windows\system32>"C:\Program 
Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -v -list -keystore 
C:\SSL\certnew_pfx.pfx -storetype PKCS12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: 1
Creation date: Jan 2, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Serial number:
Valid from: Fri Dec 23 15:06:53 UTC 2022 until: Sun Dec 22 15:06:53 UTC 2024
Certificate fingerprints:
          SHA1: 1A:50:88:EA:A3:32:B2:6B:AA:7A:B9:BE:FC:F7:88:AA:1B:D3:70:1D
          SHA256: 
74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 18 30 0A 06 08 2B 06   01 05 05 07 03 02 30 0A  0.0...+.......0.
0010: 06 08 2B 06 01 05 05 07   03 01                    ..+.......


#2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30 2D 06 25 2B 06 01 04   01 82 37 15 08 9F CA 77  0-.%+.....7....w
0010: 82 92 8A 00 87 85 81 26   87 90 F7 3E 83 CD B8 67  .......&...>...g
0020: 81 3A 83 91 A4 6F AE 93   26 02 01 65 02 01 01     .:...o..&..e...


#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
   [
    accessMethod: caIssuers
    accessLocation: URIName:
,
    accessMethod: caIssuers
    accessLocation: URIName:
]
]

#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9E E8 BB AF 02 19 D1 DE   3B 5D 84 AD 66 94 FC E1  ........;]..f...
0010: 6D AC 2D F7                                        m.-.
]
]

#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
   [DistributionPoint:
      [URIName: ldap
]]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
   clientAuth
   serverAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
   DigitalSignature
   Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
   DNSName:
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 13 0C DA 4F AF 78 B8   6E DE 2F 29 46 9E 20 E6  ....O.x.n./)F. .
0010: FC F4 5D 36                                        ..]6
]
]

For KeyUsages, I'd expect to see:

  DigitalSignature (yours has this)
  Key_CertSign (yours is missing this)
  Crl_Sign

Who signed this certificate? Which Certificaaate Authority?

Can you compare your self-signed certificate with the one signed by the 
CA and look at the KeyUsage section to see if they are different? It 
looks like maybe either the CSR you are sending to the CA is a little 
strange, or the response from the CA is strange.

Finally, can you please post the version of Tomcat that is being used 
and the complete stack trace for the error?

-chris

From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, December 30, 2022 8:39 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Invalid Keystore format error on Tomcat

Veni, On 12/30/22 00: 47, Janardhanan, Veni wrote: > This is the output from C: > keytool -list 
-keystore > C: \SSL\certnew_pfx. pfx -storetype PKCS12 (copy pasted the password as > suggested by 
you): > > C: \Windows\system32>"C: \Program
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd

Veni,



On 12/30/22 00:47, Janardhanan, Veni wrote:

This is the output from C:> keytool -list -keystore

C:\SSL\certnew_pfx.pfx -storetype PKCS12 (copy pasted the password as

suggested by you):



C:\Windows\system32>"C:\Program

Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -list -keystore

C:\SSL\certnew_pfx.pfx -storetype PKCS12



Enter keystore password:



Keystore type: PKCS12



Keystore provider: SUN



Your keystore contains 1 entry



1, Dec 30, 2022, PrivateKeyEntry,



Certificate fingerprint (SHA-256):

74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB



This is ... very strange.



Are you sure that Tomcat is running with the same JVM as your keytool

command? (This really shouldn't matter, but the symptoms you report are

strange indeed so I'm looking for anyting that might explain it.)



Can you run a similar command but with -v and post the results? Please

remove any identifying information such as the hostname/CN/SAN from the

certificate if you don't want to share those.



I'm preimarily interested in information like this:



Certificate fingerprints:

           SHA1: ED:BE:F0:43:64:3A:D9:65:36:15:00:51:55:09:9B:67:36:2A:7A:CB

           SHA256:

01:B8:6D:AA:FB:78:A8:6F:88:D7:FE:21:15:D6:7D:CF:F5:E3:F5:39:FA:37:A7:D8:BC:79:E2:08:5E:B9:33:DF

Signature algorithm name: SHA256withECDSA

Subject Public Key Algorithm: 256-bit EC (secp256r1) key



  > Am fine with the email based support.



;)



-chris



*From:*Christopher Schultz 
<ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>>

*Sent:* Friday, December 30, 2022 3:47 AM

*To:* Tomcat Users List 
<users@tomcat.apache.org<mailto:users@tomcat.apache.org>>; Janardhanan, Veni

<vjanardha...@trueblue.com<mailto:vjanardha...@trueblue.com>>

*Subject:* Re: Invalid Keystore format error on Tomcat



Veni, On 12/29/22 04: 30, Janardhanan, Veni wrote: > When I start Tomcat

this is what I see in the logs : (this is after I installed a CA signed

trusted certificate on Tomcat). I’ve done the CA certificate install

earlier on a different box



ZjQcmQRYFpfptBannerStart



*This Message Is From an External Sender *



This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd



Veni,



On 12/29/22 04:30, Janardhanan, Veni wrote:



When I start Tomcat this is what I see in the logs : (this is after I installed 
a CA signed trusted certificate on Tomcat). I’ve done the CA certificate 
install earlier on a different box and it worked fine, followed the same steps 
this time but seems to error out. Any thoughts/suggestions really appreciated. 
Both were on same versions of Windows on similar environments, no obvious 
differences at all.







SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]



org.apache.catalina.LifecycleException: Protocol handler initialization failed



                at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:983)



                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)



                at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)



                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)



                at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059)



                at 
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)



                at org.apache.catalina.startup.Catalina.load(Catalina.java:584)



                at org.apache.catalina.startup.Catalina.load(Catalina.java:607)



                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)



                at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)



                at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)



                at java.lang.reflect.Method.invoke(Method.java:498)



                at 
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)



                at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)



Caused by: java.lang.IllegalArgumentException: Invalid keystore format



                at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)



                at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)



                at 
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)



                at 
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)



                at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)



                at 
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)



                at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)



                at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)







When I have the self-signed certificate on Tomcat, am able to access my Crystal 
server’s Admin Console (except that it says ‘site is not secure’). My attempt 
it to try and secure the server here. The windows box has SAP BO BI 4.3 
installed on it and Tomcat is the web server used.







Okay. What does this display:



C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12



?



Copy/paste the password from your certificateKeystorePassword and make



sure there are no complaints.



Hope this clarifies. If we need to do a screenshare/call, please reac



out to me.



I'm happy to give email-based support for free, at my convenience. If



you want me to help you and your team debug something in real-time, I



can bill you for my time.



-chris



From: Christopher Schultz <ch...@christopherschultz.net 
<mailto:ch...@christopherschultz.net<mailto:ch...@christopherschultz.net%20%3cmailto:ch...@christopherschultz.net>>>



Sent: Wednesday, December 28, 2022 12:49 AM



To: users@tomcat.apache.org<mailto:users@tomcat.apache.org> 
<mailto:users@tomcat.apache.org>



Subject: Re: Invalid Keystore format error on Tomcat







Veni, On 12/23/22 12: 16, Janardhanan, Veni wrote: > Hi, > > I’ve a self-signed 
certificate installed on Tomcat 9 which works fine. This is a Crystal Server SAP BO BI 4. 3 
box. > To make it secure I installed our CA signed certificate. 



ZjQcmQRYFpfptBannerStart



This Message Is From an External Sender



This message came from outside your organization.



ZjQcmQRYFpfptBannerEnd







Veni,















On 12/23/22 12:16, Janardhanan, Veni wrote:







Hi,















I’ve a self-signed certificate installed on Tomcat 9 which works fine. This is 
a Crystal Server SAP BO BI 4.3 box.







To make it secure I installed our CA signed certificate. After a restart I 
brought Tomcat up, the logs show ‘Invalid Keystore format’ error.















Below is the config from server.xml.















<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"







                                              compressionMinSize="2048" 
URIEncoding="UTF-8" compression="on"







                                              
certificateKeyAlias="xxxxxxxx.corp.xxxxxxx.com"







                                
compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/javascript,application/json"







               maxThreads="200" scheme="https" secure="true" SSLEnabled="true">







           <SSLHostConfig>







               <Certificate certificateKeystoreFile="C:/SSL/certnew_pfx.pfx"







                                                             
certificateKeystorePassword="Crystal!@#" keystoreType="PKCS12"







                            type="RSA" />







           </SSLHostConfig>







       </Connector>















Please suggest. Am stuck at this point unable to proceed further, any 
hints/thoughts highly appreciated!















I'm sorry, I didn't realize that this was essentially a re-post of your







previous thread with subject "Install CA signed certificate on Tomcat 9".















I see this was what was in your keystore:















Your keystore contains 2 entries















tomcat, Sep 8, 2022, PrivateKeyEntry,







Certificate fingerprint (SHA-256):







8B:1D:5B:59:86:39:A5:CD:AB:2A:4A:45:13:2B:82:A1:44:CD:8A:E7:20:96:5A:02:0F:73:E3:5A:A6:DB:B6:FD







tomcat1, Sep 29, 2022, trustedCertEntry,







Certificate fingerprint (SHA-256):







1F:A1:D5:1A:AD:5C:57:6C:B8:90:D8:CA:D1:89:2D:E1:1E:1F:7E:78:D2:19:72:CE:CC:3B:25:03:DE:0F:E1:B6















On 23 Dec you said "when I access the Central Management Console, the







browser shows site as ‘Not Secure’".















What is the Central Management Console?















Is Tomcat able to start without throwing any errors in the log files?















Are you able to reach the site, but get a browser warning that it's







"insecure"? I just want to make sure we are solving he right problem.















-chris















---------------------------------------------------------------------







To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org%3cmailto:users-unsubscr...@tomcat.apache.org>
 
<mailto:users-unsubscr...@tomcat.apache.org%3cmailto:users-unsubscr...@tomcat.apache.org>>







For additional commands, e-mail: 
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org%3cmailto:users-h...@tomcat.apache.org>

<mailto:users-h...@tomcat.apache.org%3cmailto:users-h...@tomcat.apache.org>>













---------------------------------------------------------------------

To unsubscribe, e-mail: 
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>

For additional commands, e-mail: 
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org