Felix, > Am 01.01.2020 um 11:49 schrieb Felix Schumacher > <felix.schumac...@internetallee.de>: > > > Am 27.12.19 um 17:36 schrieb logo: >> Chris >> >> Am 2019-12-27 16:33, schrieb Christopher Schultz: >> Peter, >> >> On 12/26/19 18:55, logo wrote: >>>>> Hi Mark, >> >> I hope it's okay if I reply. :) >> >>> :-) >> >> >> >>>>> I just recently tested Step CA (smallstep.com) as an internal CA >>>>> that provides an internal ACME service. >>>>> >>>>> After I deployed the created cert to my Tomcat (8.5.50 with >>>>> adoptopenjdk 11) I noticed that while the openssl connector >>>>> immediately started, the JSSE connector with the same cert would >>>>> fail with a "java.security.KeyStoreException: Cannot store >>>>> non-PrivateKeys“ I use the openssl XML certificate config also for >>>>> JSSE. >>>>> >>>>> It took me quite a while to figure this one out - as the message >>>>> usually indicates a public key as cert. I noticed that Step Ca is >>>>> creating ECDSA certs by default. The Openssl Connector delivers the >>>>> new ECDSA cert just fine. >>>>> >>>>> While Java (afaik) seems to be able to handle ECDSA, tomcat will >>>>> fall through a case statement in >>>>> org.apache.tomcat.util.net.jsse.PEMFile >>>>> >>>>> When loading the PEM file parts it will skip all cases in >>>>> >>>>> for (Part part : parts) { switch (part.type) { case "PRIVATE KEY": >>>>> privateKey = part.toPrivateKey(null, keyAlgorithm, Format.PKCS8); >>>>> break; case "ENCRYPTED PRIVATE KEY": privateKey = >>>>> part.toPrivateKey(password, keyAlgorithm, Format.PKCS8); break; >>>>> case "RSA PRIVATE KEY": privateKey = part.toPrivateKey(null, >>>>> keyAlgorithm, Format.PKCS1); break; case "CERTIFICATE": case "X509 >>>>> CERTIFICATE": certificates.add(part.toCertificate()); break; } } >>>>> >>>>> as an EC certificate will start with EC PRIVATE KEY. >>>>> >>>>> Is this something that is expected? ECDSA unsupported? Or just an >>>>> incomplete implementation, edge case or a bug? >> >> EC should work. What does your <Connector> configuration look like? >> >> >>> <Connector port="8443" >>> protocol="org.apache.coyote.http11.Http11Nio2Protocol" >>> >> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >>> maxThreads="150" >>> SSLEnabled="true" > >>> <UpgradeProtocol >> className="org.apache.coyote.http2.Http2Protocol" /> >>> <SSLHostConfig> >>> <Certificate >>> certificateKeyFile="${catalina.base}/conf/ssl/privkey.pem" >>> certificateFile="${catalina.base}/conf/ssl/cert.pem" >>> /> >>> </SSLHostConfig> >>> </Connector> >> >>> really basic. >>> First I had a type attribute "RSA" but even ommitting this didn't >> change it. >> >>> Once Tomcat hits the PEMFile-Class the parts read from the >> ECDSA-PEM-file are not transferred to a private key so the class >> member "privateKey" is null. None of the cases above match "EC PRIVATE >> KEY". > > The comments at the beginning of PEMFile state that it works for PKCS8, > only. But the code makes an exception for RSA keys, so it probably makes > sense to ad EC keys, too. >
Please! > Have you tried to convert your key to pkcs8? > Thanks! That works fine! openssl pkcs8 -topk8 -nocrypt -in ssl/privkey.pem -out ssl/privkey-p8.pem Happy new Year! Peter > Felix > >> >>> Peter >> >> -chris >>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org