Hi Mark, > Am 08.01.2020 um 19:04 schrieb Mark Thomas <ma...@apache.org>: > > On 26/12/2019 23:55, logo wrote: > > <snip/> > >> as an EC certificate will start with EC PRIVATE KEY. >> >> Is this something that is expected? ECDSA unsupported? Or just an incomplete >> implementation, edge case or a bug? > > Hi, > > Sorry for not getting to this sooner. > > I'm not 100% sure that Java directly supports the format that includes: > -----BEGIN EC PRIVATE KEY----- > > > Initial research suggests you need to "update" the format of the key file: > > openssl pkcs8 -topk8 -inform pem -in file.key -outform pem -nocrypt -out > file.pem > > I have confirmed that this updated key then works cleanly with both the > OpenSSL and JSSE TLS implementations. >
Felix already suggested that. I've tried it and at first it looks good. Connector starts and serves the ECDSA cert. Please see the last two emails with the findings of the testssl.sh scans. I don’t know but tomcat now also serves strange ciphers… (at least some that openssl doesn’t even support and the scanner gets some strange results!) https://markmail.org/message/nj7lvuplld4c5nqx > In theory, Tomcat should be able to do this conversion for you. The > issue will be how much of the crypto API we need to do that is part of > the public API and, where it isn't, how easy it is to craft our own. > > I'm currently investigating… > Thanks for your support. I got the people at smallstep to create an option to also create RSA certs. So there is currently a workaround to use their acme process with tomcat. Peter > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
