On 2023/09/12 07:06:52 "Thomas Hoffmann (Speed4Trade GmbH)" wrote: > Hallo James, > > > -----Ursprüngliche Nachricht----- > > Von: James H. H. Lampert <jam...@touchtonecorp.com.INVALID> > > Gesendet: Montag, 11. September 2023 18:31 > > An: Java 400 List <java40...@lists.midrange.com>; Tomcat Users List > > <users@tomcat.apache.org> > > Betreff: Solution to "Invalid keystore format" (cross-posted to Tomcat Users > > List at Apache, and Java 400 List at Midrange) > > > > Ladies and Gentlemen of Both Lists: > > > > Last Friday evening, I ran into a problem updating SSL/TLS keystores on two > > customer boxes, and spent three hours yesterday, finding the cause, doping > > out a way to salvage the certs they'd paid for, and doping out a solution to > > keep it from happening in the future. > > > > It seems that with the new keystores (generated on my Mac, initially created > > with Keytool, and then maintained with Keystore Explorer), they were > > getting: > > > > > Throwable occurred: java.io.IOException: Invalid keystore format > > > at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) > > > at java.security.KeyStore.load(KeyStore.java:414) > > > > I put them back on their old keystores, and cycled Tomcat again, to get them > > back up, and then spent three hours working the problem yesterday > > (Sunday) afternoon. > > > > It turns out that the default keytool on my new Mac is the one from Java 17. > > And the customer boxes are running Tomcat under much older JVMs, > > because there's always a significant time lag before any given JVM makes it > > to an IBM Midrange box. > > > > So I was able to salvage one of the certs (and its CA reply, and its > > chain) by moving the cert to a keystore generated on my *old* Mac (with > > Java 8 as the default JVM), and then re-signing and re-chaining it in KSE. > > And I > > tested the KS on our V6 box, to make *sure* it worked. > > > > I then looked for a way, since my new Mac *has* a Java 8 JVM (it's just not > > the default), to conveniently use that JVM's Keytool, and came up with a > > wrapper BASH script to do the job. I tested the wrapper script by using it > > to > > generate their new keystore. > > > > Key takeaway (no pun intended) here: if you get an "Invalid keystore > > format" in Tomcat (or presumably anything else that uses Java Keystores), > > when generating a keystore on one box for use on another, *look for a > > difference in JVM.* > > > > -- > > JHHL > > > > I moved away from using the proprietary java keystore format. > I switched to using Base64 PEM format. This is usually also the format you > get from the certificate issuer. > No need to convert it into Java format any more and you can also open it with > any text editor.
This is exactly the same what I have been doing for the past 10 years. No pointless fiddling with Java keystores. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org