-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Peter,
On 12/26/19 18:55, logo wrote: > Hi Mark, I hope it's okay if I reply. :) > I just recently tested Step CA (smallstep.com) as an internal CA > that provides an internal ACME service. > > After I deployed the created cert to my Tomcat (8.5.50 with > adoptopenjdk 11) I noticed that while the openssl connector > immediately started, the JSSE connector with the same cert would > fail with a "java.security.KeyStoreException: Cannot store > non-PrivateKeys“ I use the openssl XML certificate config also for > JSSE. > > It took me quite a while to figure this one out - as the message > usually indicates a public key as cert. I noticed that Step Ca is > creating ECDSA certs by default. The Openssl Connector delivers the > new ECDSA cert just fine. > > While Java (afaik) seems to be able to handle ECDSA, tomcat will > fall through a case statement in > org.apache.tomcat.util.net.jsse.PEMFile > > When loading the PEM file parts it will skip all cases in > > for (Part part : parts) { switch (part.type) { case "PRIVATE KEY": > privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8); > break; case "ENCRYPTED PRIVATE KEY": privateKey = > part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break; > case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null, > keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509 > CERTIFICATE": certificates.add(part.toCertificate()); break; } } > > as an EC certificate will start with EC PRIVATE KEY. > > Is this something that is expected? ECDSA unsupported? Or just an > incomplete implementation, edge case or a bug? EC should work. What does your <Connector> configuration look like? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJDIACgkQHPApP6U8 pFi1HBAAxzrE1P4o2nj9/6/nr9sVEiPOusw30P2YnaJGvvkv2jvHoj1TITGVlaTg Y/Oy4GPA7NEn0ofRPFwaphL0+kETxZyHSBotxtlsOZsg2aLj2tLKCmwCZe2UfPcA nRmVtn+TgPOHOb3x+sSKhOzv73SjbnqVVRQLCa/4t/D/S8nfR6Lc9yqPibLI4y/+ +gqnKhs7TW5f74ZAMjLlWKrEwbsr1KRcCW7G4vA6859fxDtPSckPR5MoHBe3H/pK 2D26EoNb5jZ5McxgM9xmGe74lYXp3XVOQLEOZnBNAjGd6VWs4oyHFbc3/800vD6E gyQLgFonupS0XE3gj0cy3HVWggSQhd9AlQXwyBNQg8UWA4tQNhRiPTvgX5gAYWnf AHBKPb5LpDm8cEkCM63Ow92ce4a6JHFBxEs2TX2h14iHGCk1ARERiM2tgltugxub vmkJLGkDGd6EM2B62Wv8dnA6/1qtebgrW6IcZrESEKaP3T5qYivs5uUq4sYLXMho G8v24Om8tRDOCoE1gl+UIWRsoMZQttOJSYwbBriOWa7OJ3PSq3nzE22zSgqhqHOh QwPBXMSYQNz6aMXKxCwwS5GjdrRQqIQINi8YbRf4Wjre4zZNIzPJ4FgDtROQYl85 32Gsa4pcwyEtM2a+8iH98dXhpP5ST1CxCiGXhlzEFmXbFgSadKg= =aSBb -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org