tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements

Mon, 11 Feb 2019 07:42:56 -0800 

I'm new to implementing APR/tc-natiive for SSL/TLS on Windows Server
2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 format in the
SSLHostConfig/Certificate elements for the keystore and truststore..
(I would prefer to drop the JKS format for several reasons)
questions are:
    is this allowed?
   if so, what am I doing wrong?

...while the old (tomcat 7) connector element format works very well... for
example:
<Connector
    port="443"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    maxThreads="150"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keyAlias="FQDNservername"
    keystoreFile="C:\certs\servername.pfx"
    keystorePass="password"
    keystoreType="PKCS12"
    clientAuth="true"
    truststoreFile="C:\certs\truststore.pfx"
    truststoreType="PKCS12"
    truststorePass="password"
    >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

trying to use these .pfx files in the new
Connector/SSLHostConfig/Certificate elements doesn't work:
 (there's no equivalent to the ...Type attribute for certificateFile,
caCertificateFile,
  and the description for each says ..."The format is PEM-encoded."
  and no equivalent for the ...Password attribute for caCertificateFile).

<Connector
    port="443"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    maxThreads="150"
    SSLEnabled="true"
    scheme="https"
    secure="true"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig
        certificateVerification="optional"
        caCertificateFile="C:\certs\trustStore.PFX"
    >
        <Certificate
            certificateKeyFile="C:\certs\servername.pfx"
            certificateKeyPassword="password"
        />
    </SSLHostConfig>
</Connector>

.. the above gives errors:
11-Feb-2019 08:25:06.415 SEVERE [main]
org.apache.catalina.core.StandardService.initInternal Failed to initialize
connector [Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]]
 org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
    at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
    at
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    ... 12 more
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute
certificateFile must be defined when using an SSL connector
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
    at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161)
    at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
    at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
    at
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
    ... 13 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile
must be defined when using an SSL connector
    at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:222)
    at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:94)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
    ... 20 more

Adding certificateFile="C:\certs\servername.pfx" to the Certificate element
causes this error (apparently its expecting a PEM file):
11-Feb-2019 08:40:56.179 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["https-openssl-nio2-443"]
11-Feb-2019 08:40:56.226 WARNING [main]
org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing
SSL context
 java.lang.Exception: Unable to load certificate key
C:\certs\satlwsrmdwb01.pfx (error:0909006C:PEM routines:get_name:no start
line)
    at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
    at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:284)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
    at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161)
    at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
    at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
    at
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)

Reply via email to