Re: PKCS#8 encryption algorithm unrecognized

Mark Thomas Sun, 31 Mar 2024 11:05:04 -0700

On 25/03/2024 16:56, Timothy Resh wrote:

Sorry for the delay.  Our certificate creation process was automated
several years ago and I had to go through the code to figure out the
commands being used for the certificates


First, we use the createcert.exe from the Sybase 17 installation to

I don't have access to that application so I am unable to follow theprovided instructions.

Given you do have access to the application, it will likely be simplerif you provide a test key and certificate that don't work that we canuse for investigation.

If you want to provide those offline, feel free to email the pem filesto me directly.


Mark

generate a DB cert for ODBC connectivity.  Please see the following link
for more information.
https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
-t encryption type
-b length
-ca "1"  Create Certificate Authority
-u 3,4,5,6

    - 3. Key Encipherment
    - 4. Data Encipherment
    - 5. Key Agreement
    - 6. Certificate Signing

-v 6 years
-co Public Certificate
-x Generates a self-signed certificate

*C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
-t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co
"C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
<http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou
"Engineering" -sst "VA" -u 3,4,5,6 -v "6"*









*SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The
certificate will not be compatible with older versionsof the software
including version 12.0.1 prior to build 3994 and version 16.0prior to build
1691. Use the -3des switch if you require compatibility.Generating key
pair...Certificate will be a self-signed rootSerial number [generate GUID]:
Generated serial number: 42455c10a27d441db3e3d09f39f35452*


This creates a  ASA12 SAMM Vessel.pub  that is then copied to the Tomcat
Application Server as "Client Configuration.pem"

our next commands are all openssl or keytool

openssl.exe genrsa -aes256 -passout pass:"changeit" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
1>nul 2>&1
openssl.exe req -new -key "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
pass:"changeit"    1>nul 2>&1

echo basicConstraints = CA:FALSE  1>"C:\tmp12\openssl\v3.ext"
echo keyUsage = digitalSignature, keyEncipherment
  1>>"C:\tmp12\openssl\v3.ext"
ECHO [SAN]   1>>"C:\tmp12\openssl\v3.ext"
ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
1>>"C:\tmp12\openssl\v3.ext"

openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
pass:"changeit" -days "2190" -extensions SAN
Certificate request self-signature ok
subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
U.S.Government, C = US

COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
"C:\tmp12\Certificates\CA\"   1>nul 2>&1

openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit"

keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
"changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
-srckeystore "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
"changeit" -alias WSD-2DNX4M3.mydomain.com
Importing keystore C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12 to
C:\tmp12\Certificate\Keystore\Vessel.jks...
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"

openssl.exe rsa -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
pass:"changeit"
openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
pass:"changeit" -passout pass:"changeit"

DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2"
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3"

keytool.exe -importkeystore -srckeystore
"C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS -deststoretype
PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt
keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client
Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12"
-storepass "changeit" -noprompt
keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA"
-file "C:\tmp12\Client Configuration.pem" -keystore
"C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt


if you need anything else please get in touch with me.
I have tested this with the Tomcat 87 release and it still does not work.

Thanks

Mark Resh




On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas <ma...@apache.org> wrote:

On 19/03/2024 18:18, Timothy Resh wrote:

<Conneector ........
SSLProtocol="TLSv1.2"
SSLCipherSuite="-ALL

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"


      SSLPassword="${KSENC(6qkaMErQ==;

C:\Certificate\Keystore\Vessel.p12)}"

SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
SSLVerifyClient="optional"
SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
SSLCACertificatePath="C:\Certificates\CA\"


where the ..... is the fqdn

This works fine *until* Tomcat 9.0.83 and now we get the following listed
below. I have read some of the
https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask

for

help.
The certificates are being created using openssl 3.013.  Please note the
encrypted password to the p12 keystore.  There was a message saying this
was going to be fixed in a January release.
I just tested 9.0.87 and the error is the same.  The ASN.1 is  OBJECT
IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)

Does anyone have some suggestions for a fix?


Please provide a set of OpenSSL commands that create a problematic,
self-signed certificate for localhost. This will save us a *lot* of time.

Mark


Thanks Mark Resh


15-Mar-2024 18:27:37.621 WARNING [main]
org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
[ciphers] attribute in a manner consistent with the latest OpenSSL
development branch. Some of the specified [ciphers] are not supported by
the configured SSL engine for this connector (which may use JSSE or an
older OpenSSL version) and have been skipped:
[[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
15-Mar-2024 18:27:37.636 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at

org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at

org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at

org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)

at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at

sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)

at

sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not

recognised

at
org.apache.tomcat.util.net

.AprEndpoint.createSSLContext(AprEndpoint.java:467)

at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
at
org.apache.tomcat.util.net

.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)

at
org.apache.tomcat.util.net

.AbstractEndpoint.init(AbstractEndpoint.java:1345)

at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
at

org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)

at

org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)

... 13 more
Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
algorithm with DER encoded OID of [2a864886f70d010c0103] was not

recognised

at
org.apache.tomcat.util.net

.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)

at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
at
org.apache.tomcat.util.net

.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)

at
org.apache.tomcat.util.net

.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)

at
org.apache.tomcat.util.net

.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)

at
org.apache.tomcat.util.net

.AprEndpoint.createSSLContext(AprEndpoint.java:465)

... 19 more
15-Mar-2024 18:27:37.636 INFO [main]
org.apache.catalina.startup.Catalina.load Server initialization in [1655]
milliseconds


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: PKCS#8 encryption algorithm unrecognized

Reply via email to