Sure, I can provide the entire setup for you. I'll work on that tonight .
On Sun, Mar 31, 2024 at 2:05 PM Mark Thomas <ma...@apache.org> wrote: > On 25/03/2024 16:56, Timothy Resh wrote: > > Sorry for the delay. Our certificate creation process was automated > > several years ago and I had to go through the code to figure out the > > commands being used for the certificates > > > > First, we use the createcert.exe from the Sybase 17 installation to > > I don't have access to that application so I am unable to follow the > provided instructions. > > Given you do have access to the application, it will likely be simpler > if you provide a test key and certificate that don't work that we can > use for investigation. > > If you want to provide those offline, feel free to email the pem files > to me directly. > > Mark > > > > generate a DB cert for ODBC connectivity. Please see the following link > > for more information. > > > https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html > > -t encryption type > > -b length > > -ca "1" Create Certificate Authority > > -u 3,4,5,6 > > > > - 3. Key Encipherment > > - 4. Data Encipherment > > - 5. Key Agreement > > - 6. Certificate Signing > > > > -v 6 years > > -co Public Certificate > > -x Generates a self-signed certificate > > > > *C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe" > > -t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate > > Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application > > Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x > -co > > "C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM > > Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com > > <http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou > > "Engineering" -sst "VA" -u 3,4,5,6 -v "6"* > > > > > > > > > > > > > > > > > > > > *SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: > The > > certificate will not be compatible with older versionsof the software > > including version 12.0.1 prior to build 3994 and version 16.0prior to > build > > 1691. Use the -3des switch if you require compatibility.Generating key > > pair...Certificate will be a self-signed rootSerial number [generate > GUID]: > > Generated serial number: 42455c10a27d441db3e3d09f39f35452* > > > > > > This creates a ASA12 SAMM Vessel.pub that is then copied to the Tomcat > > Application Server as "Client Configuration.pem" > > > > our next commands are all openssl or keytool > > > > openssl.exe genrsa -aes256 -passout pass:"changeit" -out > > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048 > > 1>nul 2>&1 > > openssl.exe req -new -key "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN= > > WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" > -out > > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin > > pass:"changeit" 1>nul 2>&1 > > > > echo basicConstraints = CA:FALSE 1>"C:\tmp12\openssl\v3.ext" > > echo keyUsage = digitalSignature, keyEncipherment > > 1>>"C:\tmp12\openssl\v3.ext" > > ECHO [SAN] 1>>"C:\tmp12\openssl\v3.ext" > > ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com > > 1>>"C:\tmp12\openssl\v3.ext" > > > > openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey > > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in > > "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out > > "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin > > pass:"changeit" -days "2190" -extensions SAN > > Certificate request self-signature ok > > subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O = > > U.S.Government, C = US > > > > COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" > > "C:\tmp12\Certificates\CA\" 1>nul 2>&1 > > > > openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public > > Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile > > "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname > > WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout > pass:"changeit" > > > > keytool.exe -importkeystore -deststorepass "changeit" -destkeypass > > "changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks" > > -srckeystore "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass > > "changeit" -alias WSD-2DNX4M3.mydomain.com > > Importing keystore C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.p12 to > > C:\tmp12\Certificate\Keystore\Vessel.jks... > > DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12" > > > > openssl.exe rsa -in "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit" > > openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private > > Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout > > pass:"changeit" > > openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in > > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out > > "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin > > pass:"changeit" -passout pass:"changeit" > > > > DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2" > > DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" > > > > keytool.exe -importkeystore -srckeystore > > "C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore > > "C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS > -deststoretype > > PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt > > keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore > > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" > -noprompt > > keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore > > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" > -noprompt > > keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore > > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" > -noprompt > > keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client > > Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12" > > -storepass "changeit" -noprompt > > keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA" > > -file "C:\tmp12\Client Configuration.pem" -keystore > > "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" > -noprompt > > > > > > if you need anything else please get in touch with me. > > I have tested this with the Tomcat 87 release and it still does not work. > > > > Thanks > > > > Mark Resh > > > > > > > > > > On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas <ma...@apache.org> wrote: > > > >> On 19/03/2024 18:18, Timothy Resh wrote: > >>> <Conneector ........ > >>> SSLProtocol="TLSv1.2" > >>> SSLCipherSuite="-ALL > >>> > >> > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" > >>> > >>> SSLPassword="${KSENC(6qkaMErQ==; > >> C:\Certificate\Keystore\Vessel.p12)}" > >>> SSLCertificateChainFile="C:Certificate\Public > Key\WSD-2DNX4M3.......cer" > >>> SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer" > >>> SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key" > >>> SSLVerifyClient="optional" > >>> SSLCACertificateFile="C:\Certificates\CA\intermediate.ca" > >>> SSLCACertificatePath="C:\Certificates\CA\" > >>>> > >>> > >>> where the ..... is the fqdn > >>> > >>> This works fine *until* Tomcat 9.0.83 and now we get the following > listed > >>> below. I have read some of the > >>> https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and > ask > >> for > >>> help. > >>> The certificates are being created using openssl 3.013. Please note > the > >>> encrypted password to the p12 keystore. There was a message saying > this > >>> was going to be fixed in a January release. > >>> I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT > >>> IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11) > >>> > >>> Does anyone have some suggestions for a fix? > >> > >> Please provide a set of OpenSSL commands that create a problematic, > >> self-signed certificate for localhost. This will save us a *lot* of > time. > >> > >> Mark > >> > >> > >>> > >>> Thanks Mark Resh > >>> > >>> > >>> 15-Mar-2024 18:27:37.621 WARNING [main] > >>> org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets > the > >>> [ciphers] attribute in a manner consistent with the latest OpenSSL > >>> development branch. Some of the specified [ciphers] are not supported > by > >>> the configured SSL engine for this connector (which may use JSSE or an > >>> older OpenSSL version) and have been skipped: > >>> [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, > >>> TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]] > >>> 15-Mar-2024 18:27:37.636 SEVERE [main] > >>> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed > to > >>> initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]] > >>> org.apache.catalina.LifecycleException: Protocol handler initialization > >>> failed > >>> at > >> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) > >>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > >>> at > >>> > >> > org.apache.catalina.core.StandardService.initInternal(StandardService.java:554) > >>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > >>> at > >>> > >> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039) > >>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) > >>> at org.apache.catalina.startup.Catalina.load(Catalina.java:724) > >>> at org.apache.catalina.startup.Catalina.load(Catalina.java:746) > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>> at > >>> > >> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > >>> at > >>> > >> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >>> at java.lang.reflect.Method.invoke(Method.java:498) > >>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) > >>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) > >>> Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption > >>> algorithm with DER encoded OID of [2a864886f70d010c0103] was not > >> recognised > >>> at > >>> org.apache.tomcat.util.net > >> .AprEndpoint.createSSLContext(AprEndpoint.java:467) > >>> at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433) > >>> at > >>> org.apache.tomcat.util.net > >> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332) > >>> at > >>> org.apache.tomcat.util.net > >> .AbstractEndpoint.init(AbstractEndpoint.java:1345) > >>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654) > >>> at > >>> > >> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75) > >>> at > >> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1009) > >>> ... 13 more > >>> Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 > encryption > >>> algorithm with DER encoded OID of [2a864886f70d010c0103] was not > >> recognised > >>> at > >>> org.apache.tomcat.util.net > >> .jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379) > >>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213) > >>> at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141) > >>> at > >>> org.apache.tomcat.util.net > >> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:355) > >>> at > >>> org.apache.tomcat.util.net > >> .openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108) > >>> at > >>> org.apache.tomcat.util.net > >> .SSLUtilBase.createSSLContext(SSLUtilBase.java:268) > >>> at > >>> org.apache.tomcat.util.net > >> .AprEndpoint.createSSLContext(AprEndpoint.java:465) > >>> ... 19 more > >>> 15-Mar-2024 18:27:37.636 INFO [main] > >>> org.apache.catalina.startup.Catalina.load Server initialization in > [1655] > >>> milliseconds > >>> > >> > >> --------------------------------------------------------------------- > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
