apparently the provided cert that came with your P12 is not a X509v3 cert assuming $1 is the root name of the PEM file
openssl pkcs12 -in $1.p12 -out $1.pem -nodes -clcerts vi $1.pem and you should see something like: </snip> Key Attributes X509v3 Key Usage: nn </snip> please verify Martin > Subject: Re: OpenSSL and keytool misery > From: dmik...@gopivotal.com > Date: Thu, 1 May 2014 08:53:10 -0700 > To: users@tomcat.apache.org > > On May 1, 2014, at 7:56 AM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > All, > > > > I've been trying to convert an OpenSSL-generated key and certificate > > into a keystore for use with Tomcat. I had given up on this months ago > > and now I'm resuming my attempts. > > > > What I've done so far: > > > > 1. Created an RSA private key using openssl > > 2. Created a certificate request using openssl > > 3. Obtained a signed certificate from a CA > > 4. Attempted to combine my key and certificate into a PKCS12 file > > using openssl: > > > > $ openssl pkcs12 -export -in ${HOSTNAME}.crt \ > > -inkey ${HOSTNAME}.key > ${HOSTNAME}.p12 > > > > 5. Import the PKCS12 store into a Java keystore using keytool: > > > > $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \ > > -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12 > > > > This is what my keytool now says is in the store: > > > > $ keytool -list -keystore conf/${HOSTNAME}.jks > > Enter keystore password: > > > > Keystore type: JKS > > Keystore provider: SUN > > > > Your keystore contains 1 entry > > > > 1, May 1, 2014, PrivateKeyEntry, > > Certificate fingerprint (MD5): > > EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A > > > > I set the password for the Java keystore to "changeit". Now, in Tomcat: > > > > <Connector port="8443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks" > > keystorePass=“changeit" > > Have you tried setting keyAlias and keyPass? > > Dan > > > URIEncoding="UTF-8" > > sslProtocol="SSL" > > SSLEnabled="true" > > scheme="https" > > secure="true" > > /> > > > > (Note that ${HOSTNAME}.jks has been expanded in my actual server.xml > > file.) > > > > Here's what happens when I launch Tomcat: > > > > org.apache.catalina.LifecycleException: Failed to initialize component > > [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]] > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) > > at > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:5 > > 59) > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813 > > ) > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:638) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:663) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39 > > ) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl > > .java:25) > > at java.lang.reflect.Method.invoke(Method.java:597) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454) > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > > initialization failed > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:980) > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > ... 12 more > > > > > > Caused by: java.security.UnrecoverableKeyException: Cannot recover key > > at > > sun.security.provider.KeyProtector.recover(KeyProtector.java:311) > > at > > sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121) > > at > > sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38) > > at java.security.KeyStore.getKey(KeyStore.java:763) > > at > > com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113) > > at > > com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan > > agerFactoryImpl.java:48) > > at > > javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239) > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF > > actory.java:560) > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF > > actory.java:489) > > at > > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640) > > at > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434) > > at > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP > > rotocol.java:119) > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:978) > > ... 13 more > > > > Have I missed a step somewhere? I know that I'll probably need to > > import the CA's intermediate certificate at some point, but that > > shouldn't be necessary, yet. > > > > I tried using Portecle, but Portecle can't seem to read my OpenSSL key > > in the first place. Perhaps I have to convert to PKCS12 format first? > > > > Thanks, > > - -chris > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1 > > Comment: GPGTools - http://gpgtools.org > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > iQIcBAEBCAAGBQJTYmC6AAoJEBzwKT+lPKRYQI0P/R0zPaErMOGUm+AVDspptCHx > > IokL3ndEvPvfJ80l5chRFGGEQ0xI6etrgLmrvfwpjSgmMy7YkBYkFrjIUVO7xf3Y > > ETJIV+YZY1YV0ungDU2ogoUOw3lVmYeDs5ocWbJ2MTJN3nkE7qXu6EWlPxrUJKzY > > tMipZZyPKax0AWunyCttMBC7LkKWYF+zYexSN88cIl/8FvoPIB4cawxvppijjsUu > > qC/lpW6ldWvtbadCnEIxlhcBencHgAPyFEL/hoElelgh/0t4mzM06DKAKJM9Jziy > > XpDOWpncJDoV4rfbs23XOD2xeatZ2O4oFMFUyvYtLTIY9wpGA1tUtFSL3rDC6RPS > > fJxMi+9cBISU6IDlZdSNx25iaCGt8Bs0/fJgpSVAOdw72vkLmBqHObgV69A8XH8t > > Ph22EoVuLjP9NLVA+ydtA70ipCAebi9Ol/bF5JtUmqSkSjXfckDB0kDcQ+Kb+MRC > > VRuqpqOjOsNEb7rY7GOFgvIYZ+uU0q1zZ6RzRt/4fGoBXXI9uW7LwK0QI6MGRu74 > > T+Tg4wkSt7NtEssa5hKRWXOCulICQFAbqdxeEwiRiBn47hH7tsRYsh4vmta7f8+q > > Ff7NRPr7HnCB0V1UpbVac83o8dXWqqMhxwtRDJXqiJsMRNmM+WLHuv8rEc1qtzCr > > ubiOTOFCusMXtRXsessh > > =xqs9 > > -----END PGP SIGNATURE----- > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >