Felix,
> Am 01.01.2020 um 11:49 schrieb Felix Schumacher
> <felix.schumac...@internetallee.de>:
>
>
> Am 27.12.19 um 17:36 schrieb logo:
>> Chris
>>
>> Am 2019-12-27 16:33, schrieb Christopher Schultz:
>> Peter,
>>
>> On 12/26/19 18:55, logo wrote:
>>>>> Hi Mark,
>>
>> I hope it's okay if I reply. :)
>>
>>> :-)
>>
>>
>>
>>>>> I just recently tested Step CA (smallstep.com) as an internal CA
>>>>> that provides an internal ACME service.
>>>>>
>>>>> After I deployed the created cert to my Tomcat (8.5.50 with
>>>>> adoptopenjdk 11) I noticed that while the openssl connector
>>>>> immediately started, the JSSE connector with the same cert would
>>>>> fail with a "java.security.KeyStoreException: Cannot store
>>>>> non-PrivateKeys“ I use the openssl XML certificate config also for
>>>>> JSSE.
>>>>>
>>>>> It took me quite a while to figure this one out - as the message
>>>>> usually indicates a public key as cert. I noticed that Step Ca is
>>>>> creating ECDSA certs by default. The Openssl Connector delivers the
>>>>> new ECDSA cert just fine.
>>>>>
>>>>> While Java (afaik) seems to be able to handle ECDSA, tomcat will
>>>>> fall through a case statement in
>>>>> org.apache.tomcat.util.net.jsse.PEMFile
>>>>>
>>>>> When loading the PEM file parts it will skip all cases in
>>>>>
>>>>> for (Part part : parts) { switch (part.type) { case "PRIVATE KEY":
>>>>> privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8);
>>>>> break; case "ENCRYPTED PRIVATE KEY": privateKey =
>>>>> part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break;
>>>>> case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null,
>>>>> keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509
>>>>> CERTIFICATE": certificates.add(part.toCertificate()); break; } }
>>>>>
>>>>> as an EC certificate will start with EC PRIVATE KEY.
>>>>>
>>>>> Is this something that is expected? ECDSA unsupported? Or just an
>>>>> incomplete implementation, edge case or a bug?
>>
>> EC should work. What does your <Connector> configuration look like?
>>
>>
>>> <Connector port="8443"
>>> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>>>
>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>>> maxThreads="150"
>>> SSLEnabled="true" >
>>> <UpgradeProtocol
>> className="org.apache.coyote.http2.Http2Protocol" />
>>> <SSLHostConfig>
>>> <Certificate
>>> certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem"
>>> certificateFile="${catalina.base}/conf/ssl/cert.pem"
>>> />
>>> </SSLHostConfig>
>>> </Connector>
>>
>>> really basic.
>>> First I had a type attribute "RSA" but even ommitting this didn't
>> change it.
>>
>>> Once Tomcat hits the PEMFile-Class the parts read from the
>> ECDSA-PEM-file are not transferred to a private key so the class
>> member "privateKey" is null. None of the cases above match "EC PRIVATE
>> KEY".
>
> The comments at the beginning of PEMFile state that it works for PKCS8,
> only. But the code makes an exception for RSA keys, so it probably makes
> sense to ad EC keys, too.
>
Please!
> Have you tried to convert your key to pkcs8?
>
Thanks! That works fine!
openssl pkcs8 -topk8 -nocrypt -in ssl/privkey.pem -out ssl/privkey-p8.pem
Happy new Year!
Peter
> Felix
>
>>
>>> Peter
>>
>> -chris
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
