Hi Mark, I just recently tested Step CA (smallstep.com) as an internal CA that provides an internal ACME service.
After I deployed the created cert to my Tomcat (8.5.50 with adoptopenjdk 11) I noticed that while the openssl connector immediately started, the JSSE connector with the same cert would fail with a "java.security.KeyStoreException: Cannot store non-PrivateKeys“ I use the openssl XML certificate config also for JSSE. It took me quite a while to figure this one out - as the message usually indicates a public key as cert. I noticed that Step Ca is creating ECDSA certs by default. The Openssl Connector delivers the new ECDSA cert just fine. While Java (afaik) seems to be able to handle ECDSA, tomcat will fall through a case statement in org.apache.tomcat.util.net.jsse.PEMFile When loading the PEM file parts it will skip all cases in for (Part part : parts) { switch (part.type) { case "PRIVATE KEY": privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8); break; case "ENCRYPTED PRIVATE KEY": privateKey = part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break; case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509 CERTIFICATE": certificates.add(part.toCertificate()); break; } } as an EC certificate will start with EC PRIVATE KEY. Is this something that is expected? ECDSA unsupported? Or just an incomplete implementation, edge case or a bug? Best regards Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org