-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Frank,
On 6/30/17 8:43 AM, Frank Taffelt wrote: > Hi all, > > while playing with some ssl setups i stumbled upon the following > behaviour that seems like bug to me ? As long as all keyentries in > a keystore have the same password all is fine. Using entries with > different password tomcat doesnt startup. > > For testing: At first create 2 different keystores (same.jks and > different.jks) having each 2 entries: > > # create 2 entries with same keypass for each entry keytool > -genkeypair -alias tomcat1 -storepass storepass -keystore same.jks > -keyalg RSA -keypass keypass -ext san=dns:tomcat1 -dname > CN=tomcat1 keytool -genkeypair -alias tomcat2 -storepass storepass > -keystore same.jks -keyalg RSA -keypass keypass -ext > san=dns:tomcat2 -dname CN=tomcat2 > > # create 2 entries with different keypass for each entry keytool > -genkeypair -alias tomcat1 -storepass storepass -keystore > different.jks -keyalg RSA -keypass tomcat1 -ext san=dns:tomcat1 > -dname CN=tomcat1 keytool -genkeypair -alias tomcat2 -storepass > storepass -keystore different.jks -keyalg RSA -keypass tomcat2 > -ext san=dns:tomcat2 -dname CN=tomcat2 What is the password for the keystore itself? > setup a SSL Connector to use that keystore: > > <Connector port="443" URIEncoding="UTF-8" scheme="https" > secure="true" SSLEnabled="true" >> > <SSLHostConfig > ciphers="HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA" > protocols="all"> > > <!-- doesn't work, use keypass for alias tomcat2 --> <Certificate > certificateKeystoreFile="different.jks" > certificateKeystorePassword="storepass" > certificateKeyAlias="tomcat2" certificateKeystoreType="JKS" > certificateKeyPassword="tomcat2" type="RSA" /> ... and why don't you have the keystore password set, here? Or did you just use "changeit"? - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJZVoa1AAoJEBzwKT+lPKRYQXMP/0QBF/wO8y3yYnJprjKDxy5i JXI8KdEQoYfYS3JccIoBOZu684+IWKvGI2BKVqJl9cGw2jygpO0MURhUZ8UkMqhO vyk1dX8TNmFFmdSMohR6fB0aOsf+y+RD7IqhXNRLTM/eYEJoCjtRu3eGXGVNsxyJ yOBO2SOzKotuo/zANeSr2mQ9P2cuV9WriixdPeA1X4/4Dn30RbiIGka3b7MClvLl fnl6c3gCcxs0CoGSnt5DevJPv3SiIUn3YAyrWLMvgUYY9k6kYRdnRc/e/mfrM02f NTWH7JE/Jt7vZaM/ITVkfz0xJTgBMqK4Upflq2Vk3gniQgNtPWGOSsd0o4lSNTC7 xrK7mgtt1zPol5HgaYGYWAsj1QLMTQ+i6hkx1CaF0XMgoR+oGkdUZyy2GIZSkNTq OpIRSXEg2JhU/Hkr1YkCUP62sf3mlczQGR5A3LQSXWxKmAiRMZRkSJrTV/74GKDi jY3fwbZPHJfWLXK09/cvbacX0+xhUMNgdolEjtemnWOXypnBNs8uA9XS6MCpfH/M op+xzvaTcQN8Bof8O/BVwmPyPdnu+/3uvxdKM/0U24W9RXFCVfXt6UYLuxre28pw QkJcu9D1b5w82VbvXRoR1Cl/DXa5Jbls1sHge3i+7rSJWTsFNz76rw6HfdH20beE bVPQwviGYAzH5wYhgxQz =xLoF -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org