Hi Mark,
I just recently tested Step CA (smallstep.com) as an internal CA that provides
an internal ACME service.
After I deployed the created cert to my Tomcat (8.5.50 with adoptopenjdk 11) I
noticed that while the openssl connector immediately started, the JSSE
connector with the same cert would fail with a
"java.security.KeyStoreException: Cannot store non-PrivateKeys“
I use the openssl XML certificate config also for JSSE.
It took me quite a while to figure this one out - as the message usually
indicates a public key as cert. I noticed that Step Ca is creating ECDSA certs
by default. The Openssl Connector delivers the new ECDSA cert just fine.
While Java (afaik) seems to be able to handle ECDSA, tomcat will fall through a
case statement in org.apache.tomcat.util.net.jsse.PEMFile
When loading the PEM file parts it will skip all cases in
for (Part part : parts) {
switch (part.type) {
case "PRIVATE KEY":
privateKey = part.toPrivateKey(null, keyAlgorithm,
Format.PKCS8);
break;
case "ENCRYPTED PRIVATE KEY":
privateKey = part.toPrivateKey(password, keyAlgorithm,
Format.PKCS8);
break;
case "RSA PRIVATE KEY":
privateKey = part.toPrivateKey(null, keyAlgorithm,
Format.PKCS1);
break;
case "CERTIFICATE":
case "X509 CERTIFICATE":
certificates.add(part.toCertificate());
break;
}
}
as an EC certificate will start with EC PRIVATE KEY.
Is this something that is expected? ECDSA unsupported? Or just an incomplete
implementation, edge case or a bug?
Best regards
Peter
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
