On Fri, Mar 29, 2019, 3:09 PM Mark Thomas <ma...@apache.org> wrote: > On 29/03/2019 18:52, Ethan Jensen wrote: > > On Thu, Mar 28, 2019 at 5:05 PM Mark Thomas <ma...@apache.org> wrote: > > > >> On 28/03/2019 17:18, Ethan Jensen wrote: > >>> On Thu, Mar 28, 2019 at 11:11 AM Mark Thomas <ma...@apache.org> wrote: > >> > >> <snip/> > >> > >>>> Can you post the header of your private key file? It should look > >>>> something like: > >>>> > >>>> -----BEGIN RSA PRIVATE KEY----- > >>>> Proc-Type: 4,ENCRYPTED > >>>> DEK-Info: AES-256-CBC,D02DE734A8C2DBA625FC4180E7AECC78 > >>>> > >>>> Thanks, > >>>> > >>>> Mark > >>>> > >>>> > >>> Here you are: > >>> > >>> Bag Attributes > >>> localKeyID: 14 A3 77 23 14 44 3E 99 FD 7D A4 BE C3 4C 10 D0 DD 5A > DA > >> 0B > >>> friendlyName: mydomain.com > >>> Key Attributes: <No Attributes> > >>> -----BEGIN ENCRYPTED PRIVATE KEY----- > >> > >> Bingo. That is a PKCS#8 format file that OpenSSL understands but JSSE > >> does not. The fix I had in mind does work. Now I understand why the > >> problem occurred and can confirm that the fix works I'll apply it for > >> the next release. A a workaround you can convert that private key to > >> PKCS#1 format. > >> > >> Mark > >> > >> > > Mark, > > > > I can confirm that this does work! I converted the key and when starting > > up Tomcat am greeted with this message in the log: > > > > ... > > 29-Mar-2019 14:43:30.865 INFO [main] > > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The > > certificate [conf/tls_config/20200411/star_mydomain_com.pem] or its > private > > key [conf/tls_config/20200411/star_mydomain_com.key] could not be > processed > > using a JSSE key manager and will be given directly to OpenSSL > > ... > > > > For future reference, can you share how you determined the key was in a > > PKCS#8 format? I had tried to ascertain that ahead of time, but didn't > see > > anything readily identifiable (to me), though I'm not terribly familiar > > with particular key formats and perhaps it was just a recognition thing > > (for you). > > I googled for "-----BEGIN ENCRYPTED PRIVATE KEY-----" > > Mark > > Haha, guess that'll do it. Thanks again.
-- Ethan