tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements

John Palmer
I'm new to implementing APR/tc-natiive for SSL/TLS on Windows Server
2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 format in the
SSLHostConfig/Certificate elements for the keystore and truststore..
(I would prefer to drop the JKS format for several reasons)
questions are:
    is this allowed?
   if so, what am I doing wrong?

...while the old (tomcat 7) connector element format works very well... for
example:
<Connector
    port="443"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    maxThreads="150"
    SSLEnabled="true"
    scheme="https"
    secure="true"
    keyAlias="FQDNservername"
    keystoreFile="C:\certs\servername.pfx"
    keystorePass="password"
    keystoreType="PKCS12"
    clientAuth="true"
    truststoreFile="C:\certs\truststore.pfx"
    truststoreType="PKCS12"
    truststorePass="password"
    >
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

trying to use these .pfx files in the new
Connector/SSLHostConfig/Certificate elements doesn't work:
 (there's no equivalent to the ...Type attribute for certificateFile,
caCertificateFile,
  and the description for each says ..."The format is PEM-encoded."
  and no equivalent for the ...Password attribute for caCertificateFile).

<Connector
    port="443"
    protocol="org.apache.coyote.http11.Http11Nio2Protocol"
    maxThreads="150"
    SSLEnabled="true"
    scheme="https"
    secure="true"
>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
    <SSLHostConfig
        certificateVerification="optional"
        caCertificateFile="C:\certs\trustStore.PFX"
    >
        <Certificate
            certificateKeyFile="C:\certs\servername.pfx"
            certificateKeyPassword="password"
        />
    </SSLHostConfig>
</Connector>

.. the above gives errors:
11-Feb-2019 08:25:06.415 SEVERE [main]
org.apache.catalina.core.StandardService.initInternal Failed to initialize
connector [Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]]
 org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-443]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
    at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
    at
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    ... 12 more
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute
certificateFile must be defined when using an SSL connector
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
    at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161)
    at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
    at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
    at
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
    ... 13 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile
must be defined when using an SSL connector
    at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:222)
    at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:94)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
    ... 20 more

Adding certificateFile="C:\certs\servername.pfx" to the Certificate element
causes this error (apparently its expecting a PEM file):
11-Feb-2019 08:40:56.179 INFO [main]
org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler
["https-openssl-nio2-443"]
11-Feb-2019 08:40:56.226 WARNING [main]
org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing
SSL context
 java.lang.Exception: Unable to load certificate key
C:\certs\satlwsrmdwb01.pfx (error:0909006C:PEM routines:get_name:no start
line)
    at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
    at
org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:284)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
    at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:161)
    at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
    at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
    at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
    at
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:661)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Reply | Threaded
Open this post in threaded view
|

Re: tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

John,

On 2/11/19 10:42, John Palmer wrote:
> I'm new to implementing APR/tc-natiive for SSL/TLS on Windows
> Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12
> format in the SSLHostConfig/Certificate elements for the keystore
> and truststore.. (I would prefer to drop the JKS format for several
> reasons) questions are: is this allowed?

Absolutely. And switching away from JCEKS/JKS files is a good idea.
They never should have existed in the first place.

> if so, what am I doing wrong?

:)

> ...while the old (tomcat 7) connector element format works very
> well... for example: <Connector port="443"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx"
> keystorePass="password" keystoreType="PKCS12" clientAuth="true"
> truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12"
> truststorePass="password"
>>
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> /> </Connector>
>
> trying to use these .pfx files in the new
> Connector/SSLHostConfig/Certificate elements doesn't work: (there's
> no equivalent to the ...Type attribute for certificateFile,
> caCertificateFile, and the description for each says ..."The format
> is PEM-encoded." and no equivalent for the ...Password attribute
> for caCertificateFile).

You want to use certificateKeystoreType="PKCS12" and
certificateKeystoreFile="C:/certs/truststore.pfx". Don't use
backslashes. They will ruin your life. (But in this case, it should
not matter which kind of slash you use.)

I notice that you have another thread where you are trying to use
tcnative. If you are using tcnative with the APR connector, you cannot
use keystores such as the above. But you are specifically using the
NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I
think you are okay.

> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>>
> <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> /> <SSLHostConfig certificateVerification="optional"
> caCertificateFile="C:\certs\trustStore.PFX"
>>

Change to truststoreFile="C:/certs/trustStore.PFX".

> <Certificate certificateKeyFile="C:\certs\servername.pfx"
> certificateKeyPassword="password" />

Change to certificateKeystoreFile and make sure to set
certificateKeystoreType="PKCS12". Also
certificateKeystorePassword="password".

> </SSLHostConfig> </Connector>
>

Hope that helps.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8
pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR
+RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u
LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD
qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH
hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb
t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV
Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5
F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl
cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN
kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk
SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo=
=eR3x
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: tomcat 8.5.37 specifying PKCS (.pfx) cert files in SSLHostConfig/Certificate elements

John Palmer
wow.  All working now. (I think- verifying the Client Cert prompt - borwser
is NOT prompting, but I may not have a cert for it to send)
certificateKeystoreFile etc instead of certificateKeyFile

and
truststoreFile instead of caCertificateFile

( I spent a lot of time searching and trying things. Glad I finally ASKED).

Thanks again.


On Mon, Feb 11, 2019 at 11:22 AM Christopher Schultz <
[hidden email]> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:42, John Palmer wrote:
> > I'm new to implementing APR/tc-natiive for SSL/TLS on Windows
> > Server 2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12
> > format in the SSLHostConfig/Certificate elements for the keystore
> > and truststore.. (I would prefer to drop the JKS format for several
> > reasons) questions are: is this allowed?
>
> Absolutely. And switching away from JCEKS/JKS files is a good idea.
> They never should have existed in the first place.
>
> > if so, what am I doing wrong?
>
> :)
>
> > ...while the old (tomcat 7) connector element format works very
> > well... for example: <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> > keyAlias="FQDNservername" keystoreFile="C:\certs\servername.pfx"
> > keystorePass="password" keystoreType="PKCS12" clientAuth="true"
> > truststoreFile="C:\certs\truststore.pfx" truststoreType="PKCS12"
> > truststorePass="password"
> >>
> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> > /> </Connector>
> >
> > trying to use these .pfx files in the new
> > Connector/SSLHostConfig/Certificate elements doesn't work: (there's
> > no equivalent to the ...Type attribute for certificateFile,
> > caCertificateFile, and the description for each says ..."The format
> > is PEM-encoded." and no equivalent for the ...Password attribute
> > for caCertificateFile).
>
> You want to use certificateKeystoreType="PKCS12" and
> certificateKeystoreFile="C:/certs/truststore.pfx". Don't use
> backslashes. They will ruin your life. (But in this case, it should
> not matter which kind of slash you use.)
>
> I notice that you have another thread where you are trying to use
> tcnative. If you are using tcnative with the APR connector, you cannot
> use keystores such as the above. But you are specifically using the
> NIO2 protocol, so you will be using the OpenSSL JSSE provider, so I
> think you are okay.
>
> > <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> > maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> >>
> > <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"
> > /> <SSLHostConfig certificateVerification="optional"
> > caCertificateFile="C:\certs\trustStore.PFX"
> >>
>
> Change to truststoreFile="C:/certs/trustStore.PFX".
>
> > <Certificate certificateKeyFile="C:\certs\servername.pfx"
> > certificateKeyPassword="password" />
>
> Change to certificateKeystoreFile and make sure to set
> certificateKeystoreType="PKCS12". Also
> certificateKeystorePassword="password".
>
> > </SSLHostConfig> </Connector>
> >
>
> Hope that helps.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlxhr2QACgkQHPApP6U8
> pFh8Xg/8D8bhkADQxGG/wr50VXMuZQDe8ubFQ0zAXWcloCKe2FwvH1p2PJ6ZeMAR
> +RR+a+laIraGSL6T81/4vGSPS87YYwGMnKumwyBCLBSNnj8U7y4mZaURvCgiAc1u
> LITmLrcAhBHrr20pj1ULFO9tKGKadXVGjhspJ3/CdH+pfxvDq+3MMdwW5D66YAiD
> qDV47Z0Avv3FB/PlXCprmfdTj98F4+O2giQn5WvuejmBotW+c3301qdolQIFYKAH
> hGi5Snr2ERLkm+FCbU/4GYhf7W+lD0OAKO7unBePRHvLphaCmbKCoecWTdiTSULb
> t7H+17DYy59nqxO2B+ExYBz5X2NCm/BjyUXsV5qQIQwQGjCdBbNTNBtaJFQ58SsV
> Yfmdp+dK5k9FfcEdR5aIyWmFHz7RosnBOOvn3pkIOqCMbzlACM7Qo0vYbX47OmH5
> F2Hxe3w4P2kBVXDr3gCUuUvb304hnDKcVcGxkIFlNaYcz9a0LwIF6KAKsbTOilhl
> cilCs9Fa/XYScvvwChw53ilVLDysl1RAifN2rNIRv+12vHqOyCEr/lpHow8xkrbN
> kG1JFKsQ9yBYqVydMTDgDevmqTvymPzAaWJhXSzTnIIkStacMTslxSaHCZP2R+Zk
> SoV9Wc/C8nZ5QnxEOn5Zn8HwM90+Y0Er6Ed/seKOn5SIVGTjzpo=
> =eR3x
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>