Sorry for the delay. Our certificate creation process was automated several years ago and I had to go through the code to figure out the commands being used for the certificates
First, we use the createcert.exe from the Sybase 17 installation to generate a DB cert for ODBC connectivity. Please see the following link for more information. https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html -t encryption type -b length -ca "1" Create Certificate Authority -u 3,4,5,6 - 3. Key Encipherment - 4. Data Encipherment - 5. Key Agreement - 6. Certificate Signing -v 6 years -co Public Certificate -x Generates a self-signed certificate *C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe" -t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co "C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com <http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou "Engineering" -sst "VA" -u 3,4,5,6 -v "6"* *SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The certificate will not be compatible with older versionsof the software including version 12.0.1 prior to build 3994 and version 16.0prior to build 1691. Use the -3des switch if you require compatibility.Generating key pair...Certificate will be a self-signed rootSerial number [generate GUID]: Generated serial number: 42455c10a27d441db3e3d09f39f35452* This creates a ASA12 SAMM Vessel.pub that is then copied to the Tomcat Application Server as "Client Configuration.pem" our next commands are all openssl or keytool openssl.exe genrsa -aes256 -passout pass:"changeit" -out "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048 1>nul 2>&1 openssl.exe req -new -key "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN= WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin pass:"changeit" 1>nul 2>&1 echo basicConstraints = CA:FALSE 1>"C:\tmp12\openssl\v3.ext" echo keyUsage = digitalSignature, keyEncipherment 1>>"C:\tmp12\openssl\v3.ext" ECHO [SAN] 1>>"C:\tmp12\openssl\v3.ext" ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com 1>>"C:\tmp12\openssl\v3.ext" openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin pass:"changeit" -days "2190" -extensions SAN Certificate request self-signature ok subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O = U.S.Government, C = US COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" "C:\tmp12\Certificates\CA\" 1>nul 2>&1 openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit" keytool.exe -importkeystore -deststorepass "changeit" -destkeypass "changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks" -srckeystore "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass "changeit" -alias WSD-2DNX4M3.mydomain.com Importing keystore C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12 to C:\tmp12\Certificate\Keystore\Vessel.jks... DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12" openssl.exe rsa -in "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit" openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout pass:"changeit" openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin pass:"changeit" -passout pass:"changeit" DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2" DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" keytool.exe -importkeystore -srckeystore "C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS -deststoretype PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA" -file "C:\tmp12\Client Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt if you need anything else please get in touch with me. I have tested this with the Tomcat 87 release and it still does not work. Thanks Mark Resh On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas <ma...@apache.org> wrote: > On 19/03/2024 18:18, Timothy Resh wrote: > > <Conneector ........ > > SSLProtocol="TLSv1.2" > > SSLCipherSuite="-ALL > > > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" > > > > SSLPassword="${KSENC(6qkaMErQ==; > C:\Certificate\Keystore\Vessel.p12)}" > > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer" > > SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer" > > SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key" > > SSLVerifyClient="optional" > > SSLCACertificateFile="C:\Certificates\CA\intermediate.ca" > > SSLCACertificatePath="C:\Certificates\CA\" > >> > > > > where the ..... is the fqdn > > > > This works fine *until* Tomcat 9.0.83 and now we get the following listed > > below. I have read some of the > > https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask > for > > help. > > The certificates are being created using openssl 3.013. Please note the > > encrypted password to the p12 keystore. There was a message saying this > > was going to be fixed in a January release. > > I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT > > IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11) > > > > Does anyone have some suggestions for a fix? > > Please provide a set of OpenSSL commands that create a problematic, > self-signed certificate for localhost. This will save us a *lot* of time. > > Mark > > > > > > Thanks Mark Resh > > > > > > 15-Mar-2024 18:27:37.621 WARNING [main] > > org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the > > [ciphers] attribute in a manner consistent with the latest OpenSSL > > development branch. Some of the specified [ciphers] are not supported by > > the configured SSL engine for this connector (which may use JSSE or an > > older OpenSSL version) and have been skipped: > > [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]] > > 15-Mar-2024 18:27:37.636 SEVERE [main] > > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > > initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]] > > org.apache.catalina.LifecycleException: Protocol handler initialization > > failed > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:554) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > > at > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039) > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:724) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:746) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) > > Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption > > algorithm with DER encoded OID of [2a864886f70d010c0103] was not > recognised > > at > > org.apache.tomcat.util.net > .AprEndpoint.createSSLContext(AprEndpoint.java:467) > > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433) > > at > > org.apache.tomcat.util.net > .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332) > > at > > org.apache.tomcat.util.net > .AbstractEndpoint.init(AbstractEndpoint.java:1345) > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654) > > at > > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:1009) > > ... 13 more > > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption > > algorithm with DER encoded OID of [2a864886f70d010c0103] was not > recognised > > at > > org.apache.tomcat.util.net > .jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379) > > at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213) > > at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141) > > at > > org.apache.tomcat.util.net > .SSLUtilBase.getKeyManagers(SSLUtilBase.java:355) > > at > > org.apache.tomcat.util.net > .openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108) > > at > > org.apache.tomcat.util.net > .SSLUtilBase.createSSLContext(SSLUtilBase.java:268) > > at > > org.apache.tomcat.util.net > .AprEndpoint.createSSLContext(AprEndpoint.java:465) > > ... 19 more > > 15-Mar-2024 18:27:37.636 INFO [main] > > org.apache.catalina.startup.Catalina.load Server initialization in [1655] > > milliseconds > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >