[Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

[Valentin <xe...@gmail.com>]

Hello,

I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
use a certificate located in *cert:LocalMachine\My*

I mention that I am an administrator of this machine.
This certificate is also used by IIS.

What I did was to configure my server.xml file like this :

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keyAlias="myserver.domain.com"
               keystoreFile=""
               keystorePass=""
               keystoreType="Windows-My"
               clientAuth="false" sslProtocol="TLS" />

The error I got in tomcat logs was that the keyAlias doesn't exist but I
used the CN mentioned in the description of my certificate.

Is it possible for tomcat to use the windows certificate store ?
The only link I found about this was :
https://bz.apache.org/bugzilla/show_bug.cgi?id=56021

Thanks for your help

Valentin.M

Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

[Daniel Savard <da...@gmail.com>]

Le sam. 11 juil. 2020 à 17:52, Valentin <xe...@gmail.com> a écrit :

> Hello,
>
> I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
> use a certificate located in *cert:LocalMachine\My*
>
> I mention that I am an administrator of this machine.
> This certificate is also used by IIS.
>
> What I did was to configure my server.xml file like this :
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                keyAlias="myserver.domain.com"
>                keystoreFile=""
>                keystorePass=""
>                keystoreType="Windows-My"
>                clientAuth="false" sslProtocol="TLS" />
>
> The error I got in tomcat logs was that the keyAlias doesn't exist but I
> used the CN mentioned in the description of my certificate.
>
> Is it possible for tomcat to use the windows certificate store ?
> The only link I found about this was :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56021
>
> Thanks for your help
>
> Valentin.M
>

In documentation:
http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

"Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores."

Windows local certificates are stored in the Windows registry.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores

Since IIS is a Windows-only product, this is the simple thing for them to
do. Tomcat runs on various platforms and should support open and neutral
keystore formats instead.

-----------------
Daniel Savard

Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Valintin,

On 7/11/20 17:52, Valentin wrote:
> Hello,
>
> I try to configure my tomcat 9.0.37 installed on a windows server
> 2016 to use a certificate located in *cert:LocalMachine\My*
>
> I mention that I am an administrator of this machine. This
> certificate is also used by IIS.
>
> What I did was to configure my server.xml file like this :
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
> keyAlias="myserver.domain.com" keystoreFile="" keystorePass=""
> keystoreType="Windows-My" clientAuth="false" sslProtocol="TLS" />
>
> The error I got in tomcat logs was that the keyAlias doesn't exist
> but I used the CN mentioned in the description of my certificate.
>
> Is it possible for tomcat to use the windows certificate store ?
> The only link I found about this was :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56021

What user is the Tomcat process running as? Windows-MY is a
user-specific keystore, and LocalAccess or whatever user is being used
probably has a different Windows-MY keystore than the "Valintin" user
(the login you are logged-in as).

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl8M2zUACgkQHPApP6U8
pFinHA//bdiEo0qRrjc8cFWY99yRm2BTlOUJ6/6kC4yPjBVOBuaP20S0nx8lxSvz
cyRyH6xhgSAjtdRAA+uUdlmZ5oU7P7q15L9a+InNHqL0crr8xlmlwGIT/jXIA5iQ
E+c2sXYYi+HCLNp2rA/OC8DTA7XI6SI+pQS7kXkEA2gJ1b2BEwJ5qPfLKVq9LzfC
r2b2vfWoPXkAxbKslM7dgY2rdQg0Z2UIcmmHfUGsFraa0JEXm7FSw1E6vQQzwvFs
rECltE6v/QKLd/sCkuMQ7l7/WFWlcGwKna0IRApYEaTF66+0DKTOLtRzXORZgsbg
bH4rKqfEt1/DGGC0m6UMT2vz2CpETVaKx9D0dy9CB9kkbsjyCZTLwzznFkTSjedZ
dRDZXU8bfN3l/Iwzsc3zlQLkGpGyhbrHNc2EFFpI087VvyvibGLNWTrgFbGJ8mm1
F3eDjCerfK7CI70x/yxvr8FKpCNCBKyrpqQoj+V58aSBmFHzBaKiZgyExgVwVtp+
PLQC4MvKTxSRoYRRJ1OLrSKTw9zEmVZDJIbMaJeWiJFfrC9ti7nLL3uOPkwqyb2j
4t7HadblRcl8ytGRkyB66vMHaGDCR1BsPnlOmruid3MCWwU+Xh2joSDeku8YP92d
Sh9uLm6bK9xc4//RTVMyIwytCWw/zRfT4hK3habjGRYRIJWR/7w=
=pUGV
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

[Michael Osipov <mi...@apache.org>]

Am 2020-07-11 um 23:52 schrieb Valentin:
> Hello,
> 
> I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
> use a certificate located in *cert:LocalMachine\My*
> 
> I mention that I am an administrator of this machine.
> This certificate is also used by IIS.
> 
> What I did was to configure my server.xml file like this :
> 
> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>                 SSLEnabled="true"
>                 maxThreads="150" scheme="https" secure="true"
>                 keyAlias="myserver.domain.com"
>                 keystoreFile=""
>                 keystorePass=""
>                 keystoreType="Windows-My"
>                 clientAuth="false" sslProtocol="TLS" />
> 
> The error I got in tomcat logs was that the keyAlias doesn't exist but I
> used the CN mentioned in the description of my certificate.
> 
> Is it possible for tomcat to use the windows certificate store ?
> The only link I found about this was :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56021

I have used Windows-MY several times now with HttpClient, curl and 
OpenSSL. The native Crypto API of the Windows Cert Store provides 
several name formats for the key alias.
First of all, set CAPI_TRACE env var to see more output.
Native does this: 
https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/jdk/src/windows/native/sun/security/mscapi/security.cpp#L561-L563
CERT_NAME_FRIENDLY_DISPLAY_TYPE (fallback CERT_NAME_SIMPLE_DISPLAY_TYPE) 
from 
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetnamestringa

My recommendation is to write the simplest code, open Windows-MY iterate 
over all keys, print keys and then you will know what these display 
names are. The DNS name you use is obviously not the right one since it 
had to be CERT_NAME_DNS_TYPE.

Good luck,

Michael

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org