-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Peter,
On 12/26/19 18:55, logo wrote:
> Hi Mark,
I hope it's okay if I reply. :)
> I just recently tested Step CA (smallstep.com) as an internal CA
> that provides an internal ACME service.
>
> After I deployed the created cert to my Tomcat (8.5.50 with
> adoptopenjdk 11) I noticed that while the openssl connector
> immediately started, the JSSE connector with the same cert would
> fail with a "java.security.KeyStoreException: Cannot store
> non-PrivateKeys“ I use the openssl XML certificate config also for
> JSSE.
>
> It took me quite a while to figure this one out - as the message
> usually indicates a public key as cert. I noticed that Step Ca is
> creating ECDSA certs by default. The Openssl Connector delivers the
> new ECDSA cert just fine.
>
> While Java (afaik) seems to be able to handle ECDSA, tomcat will
> fall through a case statement in
> org.apache.tomcat.util.net.jsse.PEMFile
>
> When loading the PEM file parts it will skip all cases in
>
> for (Part part : parts) { switch (part.type) { case "PRIVATE KEY":
> privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8);
> break; case "ENCRYPTED PRIVATE KEY": privateKey =
> part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break;
> case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null,
> keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509
> CERTIFICATE": certificates.add(part.toCertificate()); break; } }
>
> as an EC certificate will start with EC PRIVATE KEY.
>
> Is this something that is expected? ECDSA unsupported? Or just an
> incomplete implementation, edge case or a bug?
EC should work. What does your <Connector> configuration look like?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4GJDIACgkQHPApP6U8
pFi1HBAAxzrE1P4o2nj9/6/nr9sVEiPOusw30P2YnaJGvvkv2jvHoj1TITGVlaTg
Y/Oy4GPA7NEn0ofRPFwaphL0+kETxZyHSBotxtlsOZsg2aLj2tLKCmwCZe2UfPcA
nRmVtn+TgPOHOb3x+sSKhOzv73SjbnqVVRQLCa/4t/D/S8nfR6Lc9yqPibLI4y/+
+gqnKhs7TW5f74ZAMjLlWKrEwbsr1KRcCW7G4vA6859fxDtPSckPR5MoHBe3H/pK
2D26EoNb5jZ5McxgM9xmGe74lYXp3XVOQLEOZnBNAjGd6VWs4oyHFbc3/800vD6E
gyQLgFonupS0XE3gj0cy3HVWggSQhd9AlQXwyBNQg8UWA4tQNhRiPTvgX5gAYWnf
AHBKPb5LpDm8cEkCM63Ow92ce4a6JHFBxEs2TX2h14iHGCk1ARERiM2tgltugxub
vmkJLGkDGd6EM2B62Wv8dnA6/1qtebgrW6IcZrESEKaP3T5qYivs5uUq4sYLXMho
G8v24Om8tRDOCoE1gl+UIWRsoMZQttOJSYwbBriOWa7OJ3PSq3nzE22zSgqhqHOh
QwPBXMSYQNz6aMXKxCwwS5GjdrRQqIQINi8YbRf4Wjre4zZNIzPJ4FgDtROQYl85
32Gsa4pcwyEtM2a+8iH98dXhpP5ST1CxCiGXhlzEFmXbFgSadKg=
=aSBb
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
