On 30/06/17 13:43, Frank Taffelt wrote: > Hi all, > > while playing with some ssl setups i stumbled upon the following behaviour > that seems like bug to me ? > As long as all keyentries in a keystore have the same password all is fine. > Using entries with different password tomcat doesnt startup.
Thanks for the test case. It might look like just a few lines but it saves a huge amount of time for anyone that wants to try to reproduce what you are seeing. I can reproduce this behaviour. This is a limitation of the default KeyManager implementation provided by default in Oracle JREs. The default implementation provided is SunX509 and that explicitly only supports one key password for the entire keystore. As far as I can tell, there aren't any alternative implementations provided that support multiple keys with different passwords. In theory, if an alternative provider were available that supported different key passwords, Tomcat could configure it appropriately although the implementation might get interesting. By far the simplest solution is to have one keystore per private key. I find the JSSE API tricky to navigate at the best of times so it is possible I have missed something. If I have, feel free to point me in the right direction. Better yet, provide some code that shows how to use KeyManagerFactory with a keystore that has multiple keys each with a different password. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org