DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=31856>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31856 Private key encoded by Java causes crash with SSLProxyMachineCertificateFile ------- Additional Comments From [EMAIL PROTECTED] 2004-10-22 21:13 ------- To reproduce the error, a certificate and key must be created using Java's keytool, then the cert and key extracted using various means. I used information from this web page to help me in the extraction process: http://mark.foster.cc/kb/openssl-keytool.html Also note that I'm using this pre-compiled distribution to test: http://hunter.campbus.com/ http://hunter.campbus.com/Apache_2.0.52-Openssl_0.9.7d-Win32.zip Finally, I am hitting a Tomcat 5.0.28 server on the back end that is configured to require client authentication (referencing the JKS keystore created in step 1). 1. Create a self-signed certificate and key in JKS format using Java's keytool. I used j2sdk1.4.2_06 for Win32: D:\> D:\j2sdk1.4.2_06\bin\keytool -genkey -alias crashapache2 -keyalg RSA -keystore 31856.jks Password: pass12 First and Last Name: Crash Apache2 Name of Organizational Unit: Bugzilla Name of Organization: ASF Name of City: Forest Hill Name of State: Maryland Two-letter ISO country: US Is [...] correct? yes Enter password for <crashapache2>: [hit Enter] 2. Use keytool to extract the certificate in DER format: D:\> D:\j2sdk1.4.2_06\bin\keytool -export -alias crashapache2 -keystore 31856.jks -file crashapache2-der.crt Enter keystore password: pass12 3. Use OpenSSL to convert the DER-encoded certificate to PEM-encoded: D:\> D:\Apache2\bin\openssl x509 -out crashapache2.crt -outform pem -text -in crashapache2-der.crt -inform der 4. Use the ExportPriv.java class (http://mark.foster.cc/pub/java/ExportPriv.java) to extract the private key. D:\> D:\j2sdk1.4.2_06\bin\javac ExportPriv.java D:\> D:\j2sdk1.4.2_06\bin\java ExportPriv 31856.jks crashapache2 pass12 > crashapache2.key 5. Combine the crashapache2.crt and crashapache2.key files into a single file, crashapache2.crtkey, and remove the extraneous text so that the file looks like this: -----BEGIN CERTIFICATE----- MII... -----END CERTIFICATE----- -----BEGIN PRIVATE KEY----- MII... -----END PRIVATE KEY----- IMPORTANT NOTE: The file must contain UNIX-style line endings! If DOS-style line endings are used, the file will not be parsed properly. (I used Cygwin and vim to accomplish this.) 6. Reference the crashapache2.crtkey file in the SSLProxyMachineCertificateFile directive, restart Apache, then try to access a protected URL. The error messages should be printed to error.log (assuming there is an error log defined outside of all virtual hosts). IMPORTANT NOTE: The remote server MUST be set up properly to use the same certificate and private key, or else you will NOT see this error message. Instead, this message will be printed to the virtual-host-specific error log: [Fri Oct 22 16:08:42 2004] [error] (20014)Error string not specified yet: proxy: request failed to W.X.Y.Z:8443 (fully.qualified.host.name) --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
