RE: OpenSSL and keytool misery

Thu, 01 May 2014 10:07:41 -0700 

apparently the provided cert that came with your P12 is not a X509v3 cert

assuming $1 is the root name of the PEM file

openssl pkcs12 -in $1.p12 -out $1.pem -nodes -clcerts

vi $1.pem
and you should see something like:

</snip>
Key Attributes
    X509v3 Key Usage: nn
</snip>

please verify
Martin 


> Subject: Re: OpenSSL and keytool misery
> From: dmik...@gopivotal.com
> Date: Thu, 1 May 2014 08:53:10 -0700
> To: users@tomcat.apache.org
> 
> On May 1, 2014, at 7:56 AM, Christopher Schultz 
> <ch...@christopherschultz.net> wrote:
> 
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > 
> > All,
> > 
> > I've been trying to convert an OpenSSL-generated key and certificate
> > into a keystore for use with Tomcat. I had given up on this months ago
> > and now I'm resuming my attempts.
> > 
> > What I've done so far:
> > 
> > 1. Created an RSA private key using openssl
> > 2. Created a certificate request using openssl
> > 3. Obtained a signed certificate from a CA
> > 4. Attempted to combine my key and certificate into a PKCS12 file
> > using openssl:
> > 
> > $ openssl pkcs12 -export -in ${HOSTNAME}.crt \
> >          -inkey ${HOSTNAME}.key > ${HOSTNAME}.p12
> > 
> > 5. Import the PKCS12 store into a Java keystore using keytool:
> > 
> > $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
> >          -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
> > 
> > This is what my keytool now says is in the store:
> > 
> > $ keytool -list -keystore conf/${HOSTNAME}.jks
> > Enter keystore password:
> > 
> > Keystore type: JKS
> > Keystore provider: SUN
> > 
> > Your keystore contains 1 entry
> > 
> > 1, May 1, 2014, PrivateKeyEntry,
> > Certificate fingerprint (MD5):
> > EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
> > 
> > I set the password for the Java keystore to "changeit". Now, in Tomcat:
> > 
> >    <Connector port="8443"
> >           protocol="org.apache.coyote.http11.Http11NioProtocol"
> >       keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
> >       keystorePass=“changeit"
> 
> Have you tried setting keyAlias and keyPass?
> 
> Dan
> 
> >        URIEncoding="UTF-8"
> > sslProtocol="SSL"
> > SSLEnabled="true"
> > scheme="https"
> > secure="true"
> >             />
> > 
> > (Note that ${HOSTNAME}.jks has been expanded in my actual server.xml
> > file.)
> > 
> > Here's what happens when I launch Tomcat:
> > 
> > org.apache.catalina.LifecycleException: Failed to initialize component
> > [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
> >        at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
> >        at
> > org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
> > 59)
> >        at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> >        at
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813
> > )
> >        at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> >        at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
> >        at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
> >        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >        at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
> > )
> >        at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
> > .java:25)
> >        at java.lang.reflect.Method.invoke(Method.java:597)
> >        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
> >        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
> > Caused by: org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed
> >        at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
> >        at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> >        ... 12 more
> > 
> > 
> > Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> >        at
> > sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
> >        at
> > sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
> >        at
> > sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
> >        at java.security.KeyStore.getKey(KeyStore.java:763)
> >        at
> > com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
> >        at
> > com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan
> > agerFactoryImpl.java:48)
> >        at
> > javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
> >        at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> > actory.java:560)
> >        at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> > actory.java:489)
> >        at
> > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
> >        at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
> >        at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
> >        at
> > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP
> > rotocol.java:119)
> >        at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
> >        ... 13 more
> > 
> > Have I missed a step somewhere? I know that I'll probably need to
> > import the CA's intermediate certificate at some point, but that
> > shouldn't be necessary, yet.
> > 
> > I tried using Portecle, but Portecle can't seem to read my OpenSSL key
> > in the first place. Perhaps I have to convert to PKCS12 format first?
> > 
> > Thanks,
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> > 
> > iQIcBAEBCAAGBQJTYmC6AAoJEBzwKT+lPKRYQI0P/R0zPaErMOGUm+AVDspptCHx
> > IokL3ndEvPvfJ80l5chRFGGEQ0xI6etrgLmrvfwpjSgmMy7YkBYkFrjIUVO7xf3Y
> > ETJIV+YZY1YV0ungDU2ogoUOw3lVmYeDs5ocWbJ2MTJN3nkE7qXu6EWlPxrUJKzY
> > tMipZZyPKax0AWunyCttMBC7LkKWYF+zYexSN88cIl/8FvoPIB4cawxvppijjsUu
> > qC/lpW6ldWvtbadCnEIxlhcBencHgAPyFEL/hoElelgh/0t4mzM06DKAKJM9Jziy
> > XpDOWpncJDoV4rfbs23XOD2xeatZ2O4oFMFUyvYtLTIY9wpGA1tUtFSL3rDC6RPS
> > fJxMi+9cBISU6IDlZdSNx25iaCGt8Bs0/fJgpSVAOdw72vkLmBqHObgV69A8XH8t
> > Ph22EoVuLjP9NLVA+ydtA70ipCAebi9Ol/bF5JtUmqSkSjXfckDB0kDcQ+Kb+MRC
> > VRuqpqOjOsNEb7rY7GOFgvIYZ+uU0q1zZ6RzRt/4fGoBXXI9uW7LwK0QI6MGRu74
> > T+Tg4wkSt7NtEssa5hKRWXOCulICQFAbqdxeEwiRiBn47hH7tsRYsh4vmta7f8+q
> > Ff7NRPr7HnCB0V1UpbVac83o8dXWqqMhxwtRDJXqiJsMRNmM+WLHuv8rEc1qtzCr
> > ubiOTOFCusMXtRXsessh
> > =xqs9
> > -----END PGP SIGNATURE-----
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Reply via email to