tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nate Rock" <nr...@infinitecampus.com>
Subject RE: SSL InvalidKeystore Format?
Date Thu, 01 Dec 2005 20:16:56 GMT
Special thanks to Remy for adding an example connector to the APR doc...
I saw the change go through the dev list last night ;)

Dhaval and Remy, between your two emails, I was actually able to get
Tomcat 5.5.12 to use SSL, however there is one last problem I am running
into...

Dhaval, you created your PEM encoded key/certs using openssl and if you
followed the article linked, you used the "openssl rsa" command. Using
this I was able to get it to work just fine.  

I got super pumped and so I switched my Connector to point to the
cert/key that I had exported from my PKCS12 keystore yesterda and it
still didn't work correctly.

After reading up on Private keys a bit more, it looks like the PEM
encoding used by the "openssl rsa" command is in an older format (RSA)
than the version my private key is being stored in. The key/cert I am
using has the key in PKCS#8 format and not the antiquated SSLeay format.
Output by the "openssl rsa" command as noted from the OpenSSL rsa(1)
command page:

"Note this command uses the traditional SSLeay compatible format for
private key encryption: newer applications should use the more secure
PKCS#8 format using the pkcs8 utility."

Taken from the OpenSSL rsa command documenation located here:
http://www.openssl.org/docs/apps/rsa.html

If not, there might be an issue with the APR connector using PKCS#8
formatted private keys. Maybe I need to set up something differently in
the connector when using the PKCS#8 private key format?

After much deliberation, I found an issue with mod_ssl used in the APR.
Evidently it doesn't support the PKCS#8 private key format. So you need
to take it and convert it to the RSA format.

Here is a nice article on how to convert your PKCS#8 private key
extracted from your PKCS#12 keystore formatted in the non-encrypted,
RSA, PEM format that OpenSSL expects:

http://mark.foster.cc/kb/openssl-keytool.html

The parts of the article that you should concern yourself about are:

"The private key is being exported as PKCS#8 PEM format. To get it into
the RSA format that works with Apache (see below) you can issue the
following command:"

	openssl pkcs8 -inform PEM -nocrypt -in exported-pkcs8.key -out
exported.key 

And 

"In summary, I had to re-encode the Java-base64-encoded private key
using openssl to make it palatable to Apache:"

	openssl rsa -in privkey-java.key -out privkey.key

I used Keystore Explorer 2.3 to extract the signed certificate and
private key out of the PKCS#12.

http://www.lazgosoftware.com/kse/ (free trial, $30 to buy. If you use
java keystores/certificates a lot, totally worth it imo)

I am still working on getting my certificate working 100% correctly but
this information should help you guys out a lot if you are stuck with a
PKCS#12 file. It won't be long now...

   -rOcK

-----Original Message-----
From: Dhaval Patel [mailto:dhaval04@yahoo.com] 
Sent: Thursday, December 01, 2005 8:49 AM
To: Tomcat Users List
Subject: Re: SSL InvalidKeystore Format?

Hi Scott,

  I am not tomcat expert as well as I can not help you about the error
you are getting. 
  After Remy's last message on SSL with APR, I finally got my windows xp
+ tomcat 5.5.12 + APR + SSL working. Following are the steps that I have
followed:

(1) Install Tomcat 5.5.12 and make sure it is working.
(2) Download APR component (openssl.exe and tcnative-1.dll) and put it
in %TOMCAT_HOME%\bin.
(http://tomcat.heanet.ie/native/1.1.0/binaries/win32/)
(3) I generated server.key and server.cert following guide at
http://www.fatofthelan.com/articles/articles.php?pid=12 .I have put them
in %TOMCAT_HOME%\bin only.
(Make sure you follow the guide. I had trouble setting openssl.exe on
windows xp. The answer is on that page only. You have to download
openssl.cnf from google and place it in some folder and make a new
environment OPENSSL_CONF pointing to that file. Trust me that link is
very good.)
(4) Change the server.xml in following way:
    <Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
			   scheme="https" secure="true"
               SSLEngine="on"
               SSLCertificateFile="C:\Tomcat5.5\bin\server.crt"
               SSLCertificateKeyFile="C:\Tomcat5.5\bin\server.key" />
(5) Restart the tomcat and SSL is enabled.

   I dont know if you have did the same way and you have issues. If you
want to try, you can follow the above steps on some other windows xp
machine. It worked for me so it should work for you. If you start from
scratch, it may take about 30-40 mins to setup above things.

   Let me know how it goes.

Regards,
D

--- Scott Purcell <spurcell@vertisinc.com> wrote:

> Well, after wasting much time trying to get the SSL running on 5.5.12,

> on XP, and finding out about the bad tcnative-1.dll, I thought I was 
> out of the woods on my SSL configuration. But it appears I have one 
> last issue (hopefully) Since I renamed the tcnative-1.dll, I am 
> getting logs in regards to my SSL (I was not getting those prior, see 
> earlier posts) and I am receiving this error: I believe I have a good 
> keystore, because my public key from Verisign was happy with it, but
for some reason, Tomcat is stikll not happy with it.
> Any ideas why this error may occur?
> Nov 30, 2005 10:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
> init
> INFO: Initializing Coyote HTTP/1.1 on http-80 Nov 30, 2005 10:44:54 PM

> org.apache.coyote.http11.Http11BaseProtocol init
> SEVERE: Error initializing endpoint
> java.io.IOException: Invalid keystore format at 
> sun.security.provider.JavaKeyStore.engineLoad(Unknown Source) at 
> java.security.KeyStore.load(Unknown Source) at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketF
> actory.java:282) at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESo
> cketFactory.java:256)
> at
>
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getTrustManagers(JSS
E14SocketFactory.java:174)
> at 
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketF
> actory.java:109) at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESoc
> ketFactory.java:88) at 
> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoin
> t.java:292) at 
> org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.ja
> va:137) at 
> org.apache.catalina.connector.Connector.initialize(Connector.java:1016
> ) at 
> org.apache.catalina.core.StandardService.initialize(StandardService.ja
> va:580) at 
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java
> :762) at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at 
> sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at 
> java.lang.reflect.Method.invoke(Unknown Source) at 
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina load
> SEVERE: Catalina.start
> LifecycleException: Protocol handler initialization failed: 
> java.io.IOException: Invalid keystore format at 
> org.apache.catalina.connector.Connector.initialize(Connector.java:1018
> ) at 
> org.apache.catalina.core.StandardService.initialize(StandardService.ja
> va:580) at 
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java
> :762) at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at 
> sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at 
> java.lang.reflect.Method.invoke(Unknown Source) at 
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> Nov 30, 2005 10:44:54 PM org.apache.catalina.startup.Catalina load
> INFO: Initialization processed in 1890 ms Nov 30, 2005 10:44:54 PM 
> org.apache.catalina.core.StandardService start
> 
> 
>                                                  
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 



		
__________________________________
Yahoo! Music Unlimited
Access over 1 million songs. Try it free. 
http://music.yahoo.com/unlimited/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message