[Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

Valentin
Hello,

I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
use a certificate located in *cert:LocalMachine\My*

I mention that I am an administrator of this machine.
This certificate is also used by IIS.

What I did was to configure my server.xml file like this :

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keyAlias="myserver.domain.com"
               keystoreFile=""
               keystorePass=""
               keystoreType="Windows-My"
               clientAuth="false" sslProtocol="TLS" />

The error I got in tomcat logs was that the keyAlias doesn't exist but I
used the CN mentioned in the description of my certificate.

Is it possible for tomcat to use the windows certificate store ?
The only link I found about this was :
https://bz.apache.org/bugzilla/show_bug.cgi?id=56021

Thanks for your help

Valentin.M
Reply | Threaded
Open this post in threaded view
|

Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

Daniel Savard
Le sam. 11 juil. 2020 à 17:52, Valentin <[hidden email]> a écrit :

> Hello,
>
> I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
> use a certificate located in *cert:LocalMachine\My*
>
> I mention that I am an administrator of this machine.
> This certificate is also used by IIS.
>
> What I did was to configure my server.xml file like this :
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                keyAlias="myserver.domain.com"
>                keystoreFile=""
>                keystorePass=""
>                keystoreType="Windows-My"
>                clientAuth="false" sslProtocol="TLS" />
>
> The error I got in tomcat logs was that the keyAlias doesn't exist but I
> used the CN mentioned in the description of my certificate.
>
> Is it possible for tomcat to use the windows certificate store ?
> The only link I found about this was :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56021
>
> Thanks for your help
>
> Valentin.M
>

In documentation:
http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

"Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores."

Windows local certificates are stored in the Windows registry.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores

Since IIS is a Windows-only product, this is the simple thing for them to
do. Tomcat runs on various platforms and should support open and neutral
keystore formats instead.

-----------------
Daniel Savard
Reply | Threaded
Open this post in threaded view
|

Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

Michael Osipov
In reply to this post by Valentin
Am 2020-07-11 um 23:52 schrieb Valentin:

> Hello,
>
> I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
> use a certificate located in *cert:LocalMachine\My*
>
> I mention that I am an administrator of this machine.
> This certificate is also used by IIS.
>
> What I did was to configure my server.xml file like this :
>
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>                 SSLEnabled="true"
>                 maxThreads="150" scheme="https" secure="true"
>                 keyAlias="myserver.domain.com"
>                 keystoreFile=""
>                 keystorePass=""
>                 keystoreType="Windows-My"
>                 clientAuth="false" sslProtocol="TLS" />
>
> The error I got in tomcat logs was that the keyAlias doesn't exist but I
> used the CN mentioned in the description of my certificate.
>
> Is it possible for tomcat to use the windows certificate store ?
> The only link I found about this was :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56021

I have used Windows-MY several times now with HttpClient, curl and
OpenSSL. The native Crypto API of the Windows Cert Store provides
several name formats for the key alias.
First of all, set CAPI_TRACE env var to see more output.
Native does this:
https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/jdk/src/windows/native/sun/security/mscapi/security.cpp#L561-L563
CERT_NAME_FRIENDLY_DISPLAY_TYPE (fallback CERT_NAME_SIMPLE_DISPLAY_TYPE)
from
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetnamestringa

My recommendation is to write the simplest code, open Windows-MY iterate
over all keys, print keys and then you will know what these display
names are. The DNS name you use is obviously not the right one since it
had to be CERT_NAME_DNS_TYPE.

Good luck,

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

Christopher Schultz-2
In reply to this post by Valentin
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Valintin,

On 7/11/20 17:52, Valentin wrote:

> Hello,
>
> I try to configure my tomcat 9.0.37 installed on a windows server
> 2016 to use a certificate located in *cert:LocalMachine\My*
>
> I mention that I am an administrator of this machine. This
> certificate is also used by IIS.
>
> What I did was to configure my server.xml file like this :
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
> keyAlias="myserver.domain.com" keystoreFile="" keystorePass=""
> keystoreType="Windows-My" clientAuth="false" sslProtocol="TLS" />
>
> The error I got in tomcat logs was that the keyAlias doesn't exist
> but I used the CN mentioned in the description of my certificate.
>
> Is it possible for tomcat to use the windows certificate store ?
> The only link I found about this was :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56021

What user is the Tomcat process running as? Windows-MY is a
user-specific keystore, and LocalAccess or whatever user is being used
probably has a different Windows-MY keystore than the "Valintin" user
(the login you are logged-in as).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8M2zUACgkQHPApP6U8
pFinHA//bdiEo0qRrjc8cFWY99yRm2BTlOUJ6/6kC4yPjBVOBuaP20S0nx8lxSvz
cyRyH6xhgSAjtdRAA+uUdlmZ5oU7P7q15L9a+InNHqL0crr8xlmlwGIT/jXIA5iQ
E+c2sXYYi+HCLNp2rA/OC8DTA7XI6SI+pQS7kXkEA2gJ1b2BEwJ5qPfLKVq9LzfC
r2b2vfWoPXkAxbKslM7dgY2rdQg0Z2UIcmmHfUGsFraa0JEXm7FSw1E6vQQzwvFs
rECltE6v/QKLd/sCkuMQ7l7/WFWlcGwKna0IRApYEaTF66+0DKTOLtRzXORZgsbg
bH4rKqfEt1/DGGC0m6UMT2vz2CpETVaKx9D0dy9CB9kkbsjyCZTLwzznFkTSjedZ
dRDZXU8bfN3l/Iwzsc3zlQLkGpGyhbrHNc2EFFpI087VvyvibGLNWTrgFbGJ8mm1
F3eDjCerfK7CI70x/yxvr8FKpCNCBKyrpqQoj+V58aSBmFHzBaKiZgyExgVwVtp+
PLQC4MvKTxSRoYRRJ1OLrSKTw9zEmVZDJIbMaJeWiJFfrC9ti7nLL3uOPkwqyb2j
4t7HadblRcl8ytGRkyB66vMHaGDCR1BsPnlOmruid3MCWwU+Xh2joSDeku8YP92d
Sh9uLm6bK9xc4//RTVMyIwytCWw/zRfT4hK3habjGRYRIJWR/7w=
=pUGV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]