On Oct 26, 2012, at 5:11 AM, Brian Burch wrote: > My production tomcat 7.0.26 (and its predecessors back as far as tc 5) have > been running with its original SSL server certificate in a JKS keystore for > many years. > > I decided to retire my ancient java-based Certificate Authority and create a > new CA using openssl 1.0.1 under ubuntu linux.
Just my $0.02, but if you are just using Java based applications, stick with keytool. It will save you time. > > I followed the guidance in > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File > > I thought it would be sensible to generate all my new certificates and > keystores using only openssl, so that I could use the same procedures for > java and non-java applications. This meant I needed to produce a PKCS12 > keystore for tomcat to use. > > I hit a succession of problems and resolved them, so I thought it would be > helpful to update the wiki once I had a keystore that worked properly > (details of tips and gotchas available). > > There are a lot of variables that I've explored, but I haven't yet succeeded > with my "pure openssl" approach. I believe that what you are trying to do should work. It might be easier to debug if we could see a list of the commands that you've run. Maybe just copy and paste your shell session? > I do have a PKCS12 keystore that keytool (with the -storetype pkcs12 option) > can list perfectly, but tomcat cannot open (with keystoreType="pkcs12" in the > Connector). Both tomcat, and keytool are running from > java-6-sun-1.6.0.26/jre/lib/i386. The log shows: > > 17-Oct-2012 15:33:51 org.apache.coyote.AbstractProtocol init > SEVERE: Failed to initialize end point associated with ProtocolHandler > ["http-bio-443"] > java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. > at sun.security.util.DerInputStream.getLength(DerInputStream.java:544) Please include your connector configuration. Dan > > > To understand the problem better, I started again by using keytool > -genkeypair and then -certreq. I issued the new certificate with openssl and > then imported the certificate chain into the JKS keystore. > > At this point I don't actually have a problem, because both keytool and > tomcat are satisfied with the new keystore and my production system has been > converted successfully. > > I hit some problems with this second approach (keytool genkepair), and so I > could add a few notes to the wiki entry. However, I'm bothered that I > couldn't get the first approach to work (pure openssl with pkcs12). > > google throws up a lot of matches for the DerInputStream.getLength error - > even one from Mark Thomas about tomcat 4! I found a lot of red herrings, and > a few useful ideas, but nothing to resolve my problem. > > It isn't encouraging to see "man pkcs12" ending with the sentence "Some would > argue that the PKCS#12 standard is one big bug :-)", and yet JKS has to be a > dead-end approach because it only applies to java. > > I have another system with java-7-openjdk-i386, but I haven't yet done any > work on it. This openjdk does not ship with a keytool program, and so I > presume it will use openssl. > > I wonder whether I have hit a sun java 6 (and 7?) bug that is of limited > interest - does anyone have any thoughts? > > Thanks.. > > Brian > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org