Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Christopher Schultz]

Brian,

On 9/13/23 23:25, Brian Wolfe wrote:

The PKCS12 is the industry standard keystore format. Your mac should be
creating it in that version. You should get familiar using the pkcs12. Its
not difficult to set it up. keytool and openssl support pkcs12 and have for
some time now. Its possible your older keystores are of the storetype JKS
or JCEKS, JKS used to be the default I think back in Java 6. Anything newer
should throw a warning telling you the industry standard is pkcs12. But you
can still open older formats by specifying the "--storetype" option. Your
getting that error because you probably didn't tell it what kind it is and
its default assumption is wrong.

Using a keystore is much better for managing your keys than using PEM
files.


Why?


It's best practice to have seperate stores for keys and for trust.


+1, and using files in PEM format do not preclude this.


by default java has the "cacerts" file for establishing trust.


True, but not terribly relevant.

-chris


On Wed, Sep 13, 2023 at 8:16 PM James H. H. Lampert
 wrote:


Java Keystores work. And I don't find them especially difficult to work
with (other than new formats not being backward-compatible with older
JVMs, and as one who has made a comfortable living banging out code for
IBM Midrange boxes for over a quarter century, I am quite familiar with
a much worse variation on that theme, namely, unless you explicitly set
the TGTRLS parameter (and have the appropriate previous version compiler
installed, and don't need to go back more than it will let you), your
programs will not even *restore* onto a prior release system.

And the one time I attempted to get anything other than a Java Keystore
to work in Tomcat, on an IBM Midrange box, I failed miserably.

Putting shell-script wrappers around two different versions of keytool
on my work Mac, so that "keytool" launches the Java 8 version, and
"keytool-default" launches the default version (in the unlikely event
that I'd ever need it) was a relatively simple exercise.

--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org






-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Brian Wolfe]

The PKCS12 is the industry standard keystore format. Your mac should be
creating it in that version. You should get familiar using the pkcs12. Its
not difficult to set it up. keytool and openssl support pkcs12 and have for
some time now. Its possible your older keystores are of the storetype JKS
or JCEKS, JKS used to be the default I think back in Java 6. Anything newer
should throw a warning telling you the industry standard is pkcs12. But you
can still open older formats by specifying the "--storetype" option. Your
getting that error because you probably didn't tell it what kind it is and
its default assumption is wrong.

Using a keystore is much better for managing your keys than using PEM
files. It's best practice to have seperate stores for keys and for trust.
by default java has the "cacerts" file for establishing trust.

On Wed, Sep 13, 2023 at 8:16 PM James H. H. Lampert
 wrote:

> Java Keystores work. And I don't find them especially difficult to work
> with (other than new formats not being backward-compatible with older
> JVMs, and as one who has made a comfortable living banging out code for
> IBM Midrange boxes for over a quarter century, I am quite familiar with
> a much worse variation on that theme, namely, unless you explicitly set
> the TGTRLS parameter (and have the appropriate previous version compiler
> installed, and don't need to go back more than it will let you), your
> programs will not even *restore* onto a prior release system.
>
> And the one time I attempted to get anything other than a Java Keystore
> to work in Tomcat, on an IBM Midrange box, I failed miserably.
>
> Putting shell-script wrappers around two different versions of keytool
> on my work Mac, so that "keytool" launches the Java 8 version, and
> "keytool-default" launches the default version (in the unlikely event
> that I'd ever need it) was a relatively simple exercise.
>
> --
> JHHL
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

-- 
Thanks,
Brian Wolfe
https://www.linkedin.com/in/brian-wolfe-3136425a/

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[James H. H. Lampert]

Java Keystores work. And I don't find them especially difficult to work 
with (other than new formats not being backward-compatible with older 
JVMs, and as one who has made a comfortable living banging out code for 
IBM Midrange boxes for over a quarter century, I am quite familiar with 
a much worse variation on that theme, namely, unless you explicitly set 
the TGTRLS parameter (and have the appropriate previous version compiler 
installed, and don't need to go back more than it will let you), your 
programs will not even *restore* onto a prior release system.


And the one time I attempted to get anything other than a Java Keystore 
to work in Tomcat, on an IBM Midrange box, I failed miserably.


Putting shell-script wrappers around two different versions of keytool 
on my work Mac, so that "keytool" launches the Java 8 version, and 
"keytool-default" launches the default version (in the unlikely event 
that I'd ever need it) was a relatively simple exercise.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Christopher Schultz]

Shawn and Mark,

On 9/13/23 09:30, Mark Thomas wrote:

On 13/09/2023 14:00, Shawn Heisey wrote:

On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote:

I moved away from using the proprietary java keystore format.
I switched to using Base64 PEM format. This is usually also the 
format you get from the certificate issuer.
No need to convert it into Java format any more and you can also open 
it with any text editor.


I have never been able to get a Java program to accept a 
certificate/key in PEM format.  The closest I've been able to come is 
creating a PKCS12 file with openssl.  Annoying because all the other 
software I use accepts PEM with no problem, and as you have said, PEM 
is the format generally produced by a CA.


How did you get it to take a PEM cert?


Tomcat has supported this for a while. The bulk of th ecode can be found 
in:


https://github.com/apache/tomcat/blob/main/java/org/apache/tomcat/util/net/jsse/PEMFile.java


I also have code on GitHub that is very similar.

https://github.com/ChristopherSchultz/pem-utils

The hard part is the wide variety of "private key" formats that are out 
there in the wild. Reading a certificate in PEM format from Java is 
pretty much a one-liner. But reading a private key in one of the many 
possible formats, encodings, encryption strategies, etc. requires miles 
and miles of code.


-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Thomas Hoffmann (Speed4Trade GmbH)]

Hello,

> -Ursprüngliche Nachricht-
> Von: Shawn Heisey 
> Gesendet: Mittwoch, 13. September 2023 15:00
> An: users@tomcat.apache.org
> Betreff: Re: AW: Solution to "Invalid keystore format" (cross-posted to
> Tomcat Users List at Apache, and Java 400 List at Midrange)
> 
> On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> > I moved away from using the proprietary java keystore format.
> > I switched to using Base64 PEM format. This is usually also the format you
> get from the certificate issuer.
> > No need to convert it into Java format any more and you can also open it
> with any text editor.
> 
> I have never been able to get a Java program to accept a certificate/key in
> PEM format.  The closest I've been able to come is creating a PKCS12 file with
> openssl.  Annoying because all the other software I use accepts PEM with no
> problem, and as you have said, PEM is the format generally produced by a
> CA.
> 
> How did you get it to take a PEM cert?
> 
> Thanks,
> Shawn
> 

If you want to use it for SSL / https, my server.xml snippet looks like:







Greetings, Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Mark Thomas]

On 13/09/2023 14:00, Shawn Heisey wrote:

On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote:

I moved away from using the proprietary java keystore format.
I switched to using Base64 PEM format. This is usually also the format 
you get from the certificate issuer.
No need to convert it into Java format any more and you can also open 
it with any text editor.


I have never been able to get a Java program to accept a certificate/key 
in PEM format.  The closest I've been able to come is creating a PKCS12 
file with openssl.  Annoying because all the other software I use 
accepts PEM with no problem, and as you have said, PEM is the format 
generally produced by a CA.


How did you get it to take a PEM cert?


Tomcat has supported this for a while. The bulk of th ecode can be found in:

https://github.com/apache/tomcat/blob/main/java/org/apache/tomcat/util/net/jsse/PEMFile.java

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Shawn Heisey]

On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote:

I moved away from using the proprietary java keystore format.
I switched to using Base64 PEM format. This is usually also the format you get 
from the certificate issuer.
No need to convert it into Java format any more and you can also open it with 
any text editor.


I have never been able to get a Java program to accept a certificate/key 
in PEM format.  The closest I've been able to come is creating a PKCS12 
file with openssl.  Annoying because all the other software I use 
accepts PEM with no problem, and as you have said, PEM is the format 
generally produced by a CA.


How did you get it to take a PEM cert?

Thanks,
Shawn


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Michael Osipov]

On 2023/09/12 07:06:52 "Thomas Hoffmann (Speed4Trade GmbH)" wrote:
> Hallo James,
> 
> > -Ursprüngliche Nachricht-
> > Von: James H. H. Lampert 
> > Gesendet: Montag, 11. September 2023 18:31
> > An: Java 400 List ; Tomcat Users List
> > 
> > Betreff: Solution to "Invalid keystore format" (cross-posted to Tomcat Users
> > List at Apache, and Java 400 List at Midrange)
> > 
> > Ladies and Gentlemen of Both Lists:
> > 
> > Last Friday evening, I ran into a problem updating SSL/TLS keystores on two
> > customer boxes, and spent three hours yesterday, finding the cause, doping
> > out a way to salvage the certs they'd paid for, and doping out a solution to
> > keep it from happening in the future.
> > 
> > It seems that with the new keystores (generated on my Mac, initially created
> > with Keytool, and then maintained with Keystore Explorer), they were
> > getting:
> > 
> >  >   Throwable occurred: java.io.IOException: Invalid keystore format
> > >   at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
> > >   at java.security.KeyStore.load(KeyStore.java:414)
> > 
> > I put them back on their old keystores, and cycled Tomcat again, to get them
> > back up, and then spent three hours working the problem yesterday
> > (Sunday) afternoon.
> > 
> > It turns out that the default keytool on my new Mac is the one from Java 17.
> > And the customer boxes are running Tomcat under much older JVMs,
> > because there's always a significant time lag before any given JVM makes it
> > to an IBM Midrange box.
> > 
> > So I was able to salvage one of the certs (and its CA reply, and its
> > chain) by moving the cert to a keystore generated on my *old* Mac (with
> > Java 8 as the default JVM), and then re-signing and re-chaining it in KSE. 
> > And I
> > tested the KS on our V6 box, to make *sure* it worked.
> > 
> > I then looked for a way, since my new Mac *has* a Java 8 JVM (it's just not
> > the default), to conveniently use that JVM's Keytool, and came up with a
> > wrapper BASH script to do the job. I tested the wrapper script by using it 
> > to
> > generate their new keystore.
> > 
> > Key takeaway (no pun intended) here: if you get an "Invalid keystore
> > format" in Tomcat (or presumably anything else that uses Java Keystores),
> > when generating a keystore on one box for use on another, *look for a
> > difference in JVM.*
> > 
> > --
> > JHHL
> > 
> 
> I moved away from using the proprietary java keystore format.
> I switched to using Base64 PEM format. This is usually also the format you 
> get from the certificate issuer.
> No need to convert it into Java format any more and you can also open it with 
> any text editor.

This is exactly the same what I have been doing for the past 10 years. No 
pointless fiddling with Java keystores.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

[Thomas Hoffmann (Speed4Trade GmbH)]

Hallo James,

> -Ursprüngliche Nachricht-
> Von: James H. H. Lampert 
> Gesendet: Montag, 11. September 2023 18:31
> An: Java 400 List ; Tomcat Users List
> 
> Betreff: Solution to "Invalid keystore format" (cross-posted to Tomcat Users
> List at Apache, and Java 400 List at Midrange)
> 
> Ladies and Gentlemen of Both Lists:
> 
> Last Friday evening, I ran into a problem updating SSL/TLS keystores on two
> customer boxes, and spent three hours yesterday, finding the cause, doping
> out a way to salvage the certs they'd paid for, and doping out a solution to
> keep it from happening in the future.
> 
> It seems that with the new keystores (generated on my Mac, initially created
> with Keytool, and then maintained with Keystore Explorer), they were
> getting:
> 
>  >   Throwable occurred: java.io.IOException: Invalid keystore format
> >   at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)
> >   at java.security.KeyStore.load(KeyStore.java:414)
> 
> I put them back on their old keystores, and cycled Tomcat again, to get them
> back up, and then spent three hours working the problem yesterday
> (Sunday) afternoon.
> 
> It turns out that the default keytool on my new Mac is the one from Java 17.
> And the customer boxes are running Tomcat under much older JVMs,
> because there's always a significant time lag before any given JVM makes it
> to an IBM Midrange box.
> 
> So I was able to salvage one of the certs (and its CA reply, and its
> chain) by moving the cert to a keystore generated on my *old* Mac (with
> Java 8 as the default JVM), and then re-signing and re-chaining it in KSE. 
> And I
> tested the KS on our V6 box, to make *sure* it worked.
> 
> I then looked for a way, since my new Mac *has* a Java 8 JVM (it's just not
> the default), to conveniently use that JVM's Keytool, and came up with a
> wrapper BASH script to do the job. I tested the wrapper script by using it to
> generate their new keystore.
> 
> Key takeaway (no pun intended) here: if you get an "Invalid keystore
> format" in Tomcat (or presumably anything else that uses Java Keystores),
> when generating a keystore on one box for use on another, *look for a
> difference in JVM.*
> 
> --
> JHHL
> 

I moved away from using the proprietary java keystore format.
I switched to using Base64 PEM format. This is usually also the format you get 
from the certificate issuer.
No need to convert it into Java format any more and you can also open it with 
any text editor.

Greetings,
Thomas

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org