Some of my prior cert/key manipulation steps were incorrect. This sequence worked for me both on Windows and Linux:
# create keys and keystore keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048 # convert keystore to .p12 format keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -deststoretype PKCS12 -srcalias selfsigned -deststorepass password -destkeypass password # export cert from keystore to pem format openssl pkcs12 -in keystore.p12 -nokeys -out cert.pem # export private key from keystore to pem format openssl pkcs12 -in keystore.p12 -nodes -nocerts -out key.pem # convert cert from pem to der format openssl x509 -outform der -in cert.pem -out test.cert # convert private key from pem to der format openssl rsa -outform der -in key.pem -out test.key Dan On Saturday, May 16, 2015 at 9:17:15 AM UTC-4, Dan wrote: > Thanks Stefan, > > I was not aware of log files being put in database folder...I was only > looking at console output and log file under data/log. So, this should > help me trouble shoot problem. > > Thanks, Dan > > On Saturday, May 16, 2015 at 5:14:17 AM UTC-4, Stefan Armbruster wrote: > >> Dan, >> >> following your procedure I get in data/graph.db/messages.log: >> >> Caused by: java.security.InvalidKeyException: IOException : DER input, >> Integer tag error >> at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:350) >> ~[na:1.7.0_80] >> at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356) >> ~[na:1.7.0_80] >> at >> sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:91) >> ~[na:1.7.0_80] >> at >> sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:75) >> ~[na:1.7.0_80] >> at >> sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:316) >> ~[na:1.7.0_80] >> at >> sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:213) >> >> ~[na:1.7.0_80] >> >> Don't yet understand what this means, but looks like the format of the >> keyfile is wrong. >> >> Some years ago I've added support for chained certificates, see my >> reply on >> http://stackoverflow.com/questions/29481750/neo4j-certificate-chain. >> Maybe that helps. >> >> Cheers, >> Stefan >> >> 2015-05-16 3:00 GMT+02:00 Dan <[email protected]>: >> > I'm having trouble getting neo4j to work with my own SSL certificates >> (this >> > is both on Windows and Linux). When attempting to start server it sits >> at >> > log entry "Enabling HTTPS on port :7473" for around 7 seconds and then >> > terminates with no error message. >> > >> > So, I'm not sure if there is a problem with the format of the >> certificates >> > I’m dealing with vs what neo4j expects. If I use neo4j's >> > SslCertifcateFactory.java code to create a self signed certificate that >> also >> > works. But when I use my company's certs or one I create via keytool >> (as >> > below), the server never starts. Here is an example of some testing I >> did >> > recently with a self signed certificate generated via keytool that does >> not >> > work. I thought I read somewhere that neo4j expect certs to be in >> "der" >> > format which is what I did below. >> > >> > I am more used to configuring SSL in jetty (for example) where I simply >> list >> > in jetty.xml file the keystore path and password, as opposed to >> including >> > the individual certificates as separate files as neo4j appears to >> require. >> > >> > Any help resolving this problem would be appreciated. >> > >> > Sample steps I followed to create certs that did not work are as >> follows: >> > >> > *** create keys and keystore >> > keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks >> > -storepass password -validity 360 -keysize 2048 >> > >> > *** export certificate from keystore >> > keytool -export -alias selfsigned -file test.cert -keystore >> keystore.jks >> > >> > *** export private key from keystore >> > keytool -v -importkeystore -srckeystore keystore.jks -srcalias >> selfsigned >> > -destkeystore test.p12 -deststoretype PKCS12 >> > openssl pkcs12 -in test.p12 -out test.pem >> > openssl x509 -outform der -in test.pem -out test.key >> > >> > **** changed relevant lines in neo4j-server.properties >> > # Certificate location (auto generated if the file does not exist) >> > #org.neo4j.server.webserver.https.cert.location=conf/ssl/snakeoil.cert >> > org.neo4j.server.webserver.https.cert.location=E:/CERTS/test.cert >> > # Private key location (auto generated if the file does not exist) >> > #org.neo4j.server.webserver.https.key.location=conf/ssl/snakeoil.key >> > org.neo4j.server.webserver.https.key.location=E:/CERTS/test.key >> > # Internally generated keystore (don't try to put your own >> > # keystore there, it will get deleted when the server starts) >> > org.neo4j.server.webserver.https.keystore.location=data/keystore >> > >> > When starting neo4j server, the following log entries appear. It sits >> at >> > "Enabling HTTPS on port :7473" step for 7 seconds >> > and then server terminates (and no error message appears on screen or >> in any >> > log file). >> > >> > 2015-05-16 00:28:11.203+0000 INFO [API] Setting startup timeout to: >> > 120000ms based on 120000 >> > 2015-05-16 00:28:13.658+0000 INFO [API] Successfully started database >> > 2015-05-16 00:28:13.696+0000 INFO [API] Starting HTTP on port :7474 >> with 4 >> > threads available >> > 2015-05-16 00:28:13.840+0000 INFO [API] Enabling HTTPS on port :7473 >> > May 15, 2015 8:28:20 PM org.neo4j.wrapper.NeoServiceWrapper >> > launchAsConsoleApp >> > INFO: Params >> > May 15, 2015 8:28:20 PM org.neo4j.wrapper.NeoServiceWrapper >> > launchAsConsoleApp >> > INFO: -Dorg.neo4j.server.properties="conf/neo4j-server.properties" >> > ... >> > ... >> > >> > -- >> > You received this message because you are subscribed to the Google >> Groups >> > "Neo4j" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Neo4j" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
