Re: cert/key config woes

Thu, 02 Jun 2022 15:03:56 -0700 

Rob,

On 6/2/22 14:19, Rob Sargent wrote:

    Caused by: java.lang.IllegalArgumentException: Alias name [sgsAgent]
    does not identify a key entry
             at

>     [...]


but I believe the alias is in place, both places

    ## check, different files
    [ec2-user@ip-10-0-2-118 certs]ls -l fullca.p12 sgstrust.p12
    -rw-rw-r-- 1 ec2-user ec2-user 281500 Jun  2 17:12 fullca.p12
    -rw-rw-r-- 1 ec2-user ec2-user   2726 Jun  2 17:13 sgstrust.p12

    ## checks for alias
    [ec2-user@ip-10-0-2-118 certs]$ keytool -storetype pkcs12 -list
    -keystore sgstrust.p12 -alias sgsAgent -storepass changeit
    sgsAgent, Jun 2, 2022, PrivateKeyEntry,
    Certificate fingerprint (SHA-256):

    
65:F1:9C:07:37:C4:13:A8:82:D5:09:E7:51:F9:C0:E2:94:E4:41:64:F1:41:86:E6:60:5F:50:87:A8:13:74:17 



    [ec2-user@ip-10-0-2-118 certs]$ keytool -storetype pkcs12 -list
    -keystore fullca.p12 -alias sgsAgent -storepass changeit
    sgsAgent, Jun 2, 2022, trustedCertEntry,
    Certificate fingerprint (SHA-256):

    
65:F1:9C:07:37:C4:13:A8:82:D5:09:E7:51:F9:C0:E2:94:E4:41:64:F1:41:86:E6:60:5F:50:87:A8:13:74:17 



What does your <Connector> configuration look like (specifically, what 
keystore is it pointing to)? Remember that <Connector> ccan specify both 
keystore (for identifying itself) and truststore (for identifying 
clients, which you don't need AIUI).



To your latest


    I add my cert to truststore.


    Which one? Are you using client certs for mutual-TLS or just
    plain-old "I only need to trust the server" checking?

I add sgstrust to fullca.  I think the latter mode is fine


    If it's vanilla, then you need:

    1. Key + cert in the key store used by the Tomcat <Connector>
    2. cert in the trust store used by the client (optional if it's
    signed by a trusted CA)

    Remember if your key store from #1 has more than one cert+key in it,
    Tomcat will choose the first one (which is basically a crap-shoot,
    given the API) unless you specify the alias of the one to use. I
    think it's best to have only a single key+cert in each keystore
    (unless it's multiple flavors of the same thing, like RSA and ECDSA
    for the same server). That way you don't get confused by "too much
    stuff".


I'm starting both the server and the client with both key and trust. 
Does that bite?



I would avoid giving access to the key to anything that doesn't 
absolutely need it. Usually, only the server needs access to the key.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to