tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nigel Smith <>
Subject Problem with SSL / JSSE in Tomcat using a PKCS12_truststore_ - a curly one
Date Thu, 30 Jun 2005 03:33:22 GMT
Hi there,

I'm having trouble with an interesting problem.

I have a keystore and a truststore setup, both as pkcs12 stores. I'm 
telling tomcat about the keystore by something like the following code 
(I actually do it in spring, and so I've translated it into plain java 
code here for simplicity)

connector.setAttribute("keystoreFile", "c:\tomcatEmbedded\keystore.p12");
connector.setAttribute("keystorePass", "secret");
connector.setAttribute("keystoreType", "PKCS12");

and similarly to setup the trust store, I'm doing the following:

connector.setAttribute("truststorePass", "secret");
connector.setAttribute("truststoreType", "PKCS12");

The problem I have here is that Tomcat (I suspect it's not tomcat, but 
something in J2SE, or the way tomcat uses JSSE, or even the way I've got 
my env setup - I'll explain in a minute) loves the keystore, but is a 
right snob about the truststore. It simply refuses to acknowledge its 

Actually, I've lied - I have setup a different type of truststore. It's 
a JKS store, and when I use the following code to initialise the 
truststore, things start to work again:

connector.setAttribute("truststorePass", "changeit");
connector.setAttribute("truststoreType", "JKS");

they key point here is that intitialising the truststore as a PKCS12 
store simply does not work.

Some more information: if I set a system property as such:, I can actually see the trusted certificates being 
loaded up as tomcat starts up. I mean, I can see all the certs in the 
trust store being loaded up when it's a JKS store. When its a PKCS12 
store, it ignores them. Very rude.

Further, if I set the trust store through the* 
properties (JKS or PKCS12), things go a bit wrong with a message like 
" DerInputStream.getLength(): length Tag=109"  - I 
don't know what the hell this means, but from what I have been able to 
glean from a bit of googling, this happens because of the Tomcat 
classloader hierarchy - I think. Which is probably why we have the 
setAttribute() method on the connector.

I'm initerested in knowing if anyone has had a similar problem / 
experience, and knows of any way I can use a PKCS12 store as a trust store.

I'm using Java 1.5.0_03, Tomcat 5.5.9 embedded.

Many thanks,

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message