Re: tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements
wow. All working now. (I think- verifying the Client Cert prompt - borwser is NOT prompting, but I may not have a cert for it to send) certificateKeystoreFile etc instead of certificateKeyFile and truststoreFile instead of caCertificateFile ( I spent a lot of time searching and trying things. Glad I finally ASKED). Thanks again. On Mon, Feb 11, 2019 at 11:22 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > John, > > On 2/11/19 10:42, John Palmer wrote: > > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows > > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 > > format in the SSLHostConfig/Certificate elements for the keystore > > and truststore.. (I would prefer to drop the JKS format for several > > reasons) questions are: is this allowed? > > Absolutely. And switching away from JCEKS/JKS files is a good idea. > They never should have existed in the first place. > > > if so, what am I doing wrong? > > :) > > > ...while the old (tomcat 7) connector element format works very > > well... for example: > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx" > > keystorePass="password" keystoreType="PKCS12" clientAuth="true" > > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12" > > truststorePass="password" > >> > > > /> > > > > trying to use these .pfx files in the new > > Connector/SSLHostConfig/Certificate elements doesn't work: (there's > > no equivalent to the ...Type attribute for certificateFile, > > caCertificateFile, and the description for each says ..."The format > > is PEM-encoded." and no equivalent for the ...Password attribute > > for caCertificateFile). > > You want to use certificateKeystoreType="PKCS12" and > certificateKeystoreFile="C:/certs/truststore.pfx". Don't use > backslashes. They will ruin your life. (But in this case, it should > not matter which kind of slash you use.) > > I notice that you have another thread where you are trying to use > tcnative. If you are using tcnative with the APR connector, you cannot > use keystores such as the above. But you are specifically using the > NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I > think you are okay. > > > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > >> > > > /> > caCertificateFile="C:\certs\trustStore.PFX" > >> > > Change to truststoreFile="C:/certs/trustStore.PFX". > > > > certificateKeyPassword="password" /> > > Change to certificateKeystoreFile and make sure to set > certificateKeystoreType="PKCS12". Also > certificateKeystorePassword="password". > > > > > > > Hope that helps. > > - -chris > -BEGIN PGP SIGNATURE- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8 > pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR > +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u > LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD > qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH > hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb > t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV > Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5 > F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl > cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN > kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk > SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo= > =eR3x > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 John, On 2/11/19 10:42, John Palmer wrote: > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 > format in the SSLHostConfig/Certificate elements for the keystore > and truststore.. (I would prefer to drop the JKS format for several > reasons) questions are: is this allowed? Absolutely. And switching away from JCEKS/JKS files is a good idea. They never should have existed in the first place. > if so, what am I doing wrong? :) > ...while the old (tomcat 7) connector element format works very > well... for example: protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx" > keystorePass="password" keystoreType="PKCS12" clientAuth="true" > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12" > truststorePass="password" >> > /> > > trying to use these .pfx files in the new > Connector/SSLHostConfig/Certificate elements doesn't work: (there's > no equivalent to the ...Type attribute for certificateFile, > caCertificateFile, and the description for each says ..."The format > is PEM-encoded." and no equivalent for the ...Password attribute > for caCertificateFile). You want to use certificateKeystoreType="PKCS12" and certificateKeystoreFile="C:/certs/truststore.pfx". Don't use backslashes. They will ruin your life. (But in this case, it should not matter which kind of slash you use.) I notice that you have another thread where you are trying to use tcnative. If you are using tcnative with the APR connector, you cannot use keystores such as the above. But you are specifically using the NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I think you are okay. > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >> > /> caCertificateFile="C:\certs\trustStore.PFX" >> Change to truststoreFile="C:/certs/trustStore.PFX". > certificateKeyPassword="password" /> Change to certificateKeystoreFile and make sure to set certificateKeystoreType="PKCS12". Also certificateKeystorePassword="password". > > Hope that helps. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8 pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5 F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo= =eR3x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements
I'm new to implementing APR/tc-natiive for SSL/TLS on Windows Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 format in the SSLHostConfig/Certificate elements for the keystore and truststore.. (I would prefer to drop the JKS format for several reasons) questions are: is this allowed? if so, what am I doing wrong? ...while the old (tomcat 7) connector element format works very well... for example: trying to use these .pfx files in the new Connector/SSLHostConfig/Certificate elements doesn't work: (there's no equivalent to the ...Type attribute for certificateFile, caCertificateFile, and the description for each says ..."The format is PEM-encoded." and no equivalent for the ...Password attribute for caCertificateFile). .. the above gives errors: 11-Feb-2019 08:25:06.415 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:638) at org.apache.catalina.startup.Catalina.load(Catalina.java:661) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:995) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) ... 13 more Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:222) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:94) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) ... 20 more Adding certificateFile="C:\certs\servername.pfx" to the Certificate element causes this error (apparently its expecting a PEM file): 11-Feb-2019 08:40:56.179 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio2-443"] 11-Feb-2019 08:40:56.226 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context java.lang.Exception: Unable to load certificate key C:\certs\satlwsrmdwb01.pfx (error:0909006C:PEM routines:get_name:no start line) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:284) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86) at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) at