My production tomcat 7.0.26 (and its predecessors back as far as tc 5)
have been running with its original SSL server certificate in a JKS
keystore for many years.
I decided to retire my ancient java-based Certificate Authority and
create a new CA using openssl 1.0.1 under ubuntu linux.
I followed the guidance in
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File
I thought it would be sensible to generate all my new certificates and
keystores using only openssl, so that I could use the same procedures
for java and non-java applications. This meant I needed to produce a
PKCS12 keystore for tomcat to use.
I hit a succession of problems and resolved them, so I thought it would
be helpful to update the wiki once I had a keystore that worked properly
(details of tips and gotchas available).
There are a lot of variables that I've explored, but I haven't yet
succeeded with my "pure openssl" approach. I do have a PKCS12 keystore
that keytool (with the -storetype pkcs12 option) can list perfectly, but
tomcat cannot open (with keystoreType="pkcs12" in the Connector). Both
tomcat, and keytool are running from java-6-sun-1.6.0.26/jre/lib/i386.
The log shows:
17-Oct-2012 15:33:51 org.apache.coyote.AbstractProtocol init
SEVERE: Failed to initialize end point associated with ProtocolHandler
["http-bio-443"]
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:544)
To understand the problem better, I started again by using keytool
-genkeypair and then -certreq. I issued the new certificate with openssl
and then imported the certificate chain into the JKS keystore.
At this point I don't actually have a problem, because both keytool and
tomcat are satisfied with the new keystore and my production system has
been converted successfully.
I hit some problems with this second approach (keytool genkepair), and
so I could add a few notes to the wiki entry. However, I'm bothered that
I couldn't get the first approach to work (pure openssl with pkcs12).
google throws up a lot of matches for the DerInputStream.getLength error
- even one from Mark Thomas about tomcat 4! I found a lot of red
herrings, and a few useful ideas, but nothing to resolve my problem.
It isn't encouraging to see "man pkcs12" ending with the sentence "Some
would argue that the PKCS#12 standard is one big bug :-)", and yet JKS
has to be a dead-end approach because it only applies to java.
I have another system with java-7-openjdk-i386, but I haven't yet done
any work on it. This openjdk does not ship with a keytool program, and
so I presume it will use openssl.
I wonder whether I have hit a sun java 6 (and 7?) bug that is of limited
interest - does anyone have any thoughts?
Thanks..
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
