You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2014/05/01 16:56:58 UTC
OpenSSL and keytool misery
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I've been trying to convert an OpenSSL-generated key and certificate
into a keystore for use with Tomcat. I had given up on this months ago
and now I'm resuming my attempts.
What I've done so far:
1. Created an RSA private key using openssl
2. Created a certificate request using openssl
3. Obtained a signed certificate from a CA
4. Attempted to combine my key and certificate into a PKCS12 file
using openssl:
$ openssl pkcs12 -export -in ${HOSTNAME}.crt \
-inkey ${HOSTNAME}.key > ${HOSTNAME}.p12
5. Import the PKCS12 store into a Java keystore using keytool:
$ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
-destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
This is what my keytool now says is in the store:
$ keytool -list -keystore conf/${HOSTNAME}.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
1, May 1, 2014, PrivateKeyEntry,
Certificate fingerprint (MD5):
EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
I set the password for the Java keystore to "changeit". Now, in Tomcat:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
keystorePass="changeit"
URIEncoding="UTF-8"
sslProtocol="SSL"
SSLEnabled="true"
scheme="https"
secure="true"
/>
(Note that ${HOSTNAME}.jks has been expanded in my actual server.xml
file.)
Here's what happens when I launch Tomcat:
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
59)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813
)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at
sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at
sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at
sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at
com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
at
com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan
agerFactoryImpl.java:48)
at
javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
actory.java:560)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
actory.java:489)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP
rotocol.java:119)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more
Have I missed a step somewhere? I know that I'll probably need to
import the CA's intermediate certificate at some point, but that
shouldn't be necessary, yet.
I tried using Portecle, but Portecle can't seem to read my OpenSSL key
in the first place. Perhaps I have to convert to PKCS12 format first?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYmC6AAoJEBzwKT+lPKRYQI0P/R0zPaErMOGUm+AVDspptCHx
IokL3ndEvPvfJ80l5chRFGGEQ0xI6etrgLmrvfwpjSgmMy7YkBYkFrjIUVO7xf3Y
ETJIV+YZY1YV0ungDU2ogoUOw3lVmYeDs5ocWbJ2MTJN3nkE7qXu6EWlPxrUJKzY
tMipZZyPKax0AWunyCttMBC7LkKWYF+zYexSN88cIl/8FvoPIB4cawxvppijjsUu
qC/lpW6ldWvtbadCnEIxlhcBencHgAPyFEL/hoElelgh/0t4mzM06DKAKJM9Jziy
XpDOWpncJDoV4rfbs23XOD2xeatZ2O4oFMFUyvYtLTIY9wpGA1tUtFSL3rDC6RPS
fJxMi+9cBISU6IDlZdSNx25iaCGt8Bs0/fJgpSVAOdw72vkLmBqHObgV69A8XH8t
Ph22EoVuLjP9NLVA+ydtA70ipCAebi9Ol/bF5JtUmqSkSjXfckDB0kDcQ+Kb+MRC
VRuqpqOjOsNEb7rY7GOFgvIYZ+uU0q1zZ6RzRt/4fGoBXXI9uW7LwK0QI6MGRu74
T+Tg4wkSt7NtEssa5hKRWXOCulICQFAbqdxeEwiRiBn47hH7tsRYsh4vmta7f8+q
Ff7NRPr7HnCB0V1UpbVac83o8dXWqqMhxwtRDJXqiJsMRNmM+WLHuv8rEc1qtzCr
ubiOTOFCusMXtRXsessh
=xqs9
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: OpenSSL and keytool misery
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Dan,
On 5/1/14, 11:53 AM, Daniel Mikusa wrote:
> On May 1, 2014, at 7:56 AM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>
> All,
>
> I've been trying to convert an OpenSSL-generated key and
> certificate into a keystore for use with Tomcat. I had given up on
> this months ago and now I'm resuming my attempts.
>
> What I've done so far:
>
> 1. Created an RSA private key using openssl 2. Created a
> certificate request using openssl 3. Obtained a signed certificate
> from a CA 4. Attempted to combine my key and certificate into a
> PKCS12 file using openssl:
>
> $ openssl pkcs12 -export -in ${HOSTNAME}.crt \ -inkey
> ${HOSTNAME}.key > ${HOSTNAME}.p12
>
> 5. Import the PKCS12 store into a Java keystore using keytool:
>
> $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
> -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
>
> This is what my keytool now says is in the store:
>
> $ keytool -list -keystore conf/${HOSTNAME}.jks Enter keystore
> password:
>
> Keystore type: JKS Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> 1, May 1, 2014, PrivateKeyEntry, Certificate fingerprint (MD5):
> EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
>
> I set the password for the Java keystore to "changeit". Now, in
> Tomcat:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
> keystorePass=“changeit"
>
>> Have you tried setting keyAlias and keyPass?
Nope.
Looks like that did the trick. Just adding the keyPass was sufficient;
Tomcat chooses the first thingamajig in the keystore as the one its
going to use, so setting the alias wasn't necessary in this case.
I didn't realize that the key itself had a password distinct from the
keystore itself. I had used "changeme" instead of "changeit" (Tomcat's
default) when setting the password for the key at some point during
the whole conversion process.
Java keystores are weird: the key and the certificate seem to occupy a
single entry in the keystore. Using Portecle, I was able to see that
the certificate seems to "contain" a 2048-bit key.
Weird. Well, now that I've done that, perhaps I'll try to use a PKCS12
keystore as well. It would be good to have done that.
Thanks!
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTYnzJAAoJEBzwKT+lPKRYX1kP/2roozz3OifXHd5V4nTKOj0v
6Pp1Yj+lS7DRyHxdQ1WIwE3xbVxkdGGLUBts+uYsiZlbzV8jYOdwyQMslUxVv/09
hoGltG7nmvWvU7xSyPlqLVuuitEvSNE498fHlbTSaTqVbG7tVSuo9PDgh5qdrwZ3
u4R/SbcgJVTrAfqDrE1dVnC6G8lzwr4szvyO3EouI/PB0OJAwEhJduRU5HmefID2
NmmGu2Q9swBgUrbLYZNE+Hzxb6L+3+oO6HIvDf3AXQdsDRQhqpz+jXl44yooyuQv
GHfbo+QBZ+rOqciteSYGH7/yhfMqbMJ2jdIBKgPOKIYk0oMIW2ECa1Art7PEYFtW
iLCWIf7ZuIvk2B1fPbfEP/iTMLtT9VS1ndu/zuJYAHAxCJaAEYjyWme2ZV9CNk7G
XTkS01oWlFvgAfTRnZF5Zk5W4eC2Ik62aroPPxS/8kwf7KdSMdCf+XgDUbz366Zg
k/hIP0iMM9D9uw1zJhfj2c2RbBxzaif6WL3OlnYsMVBdfw31mBg1oRyAdy6VLTTJ
YIiz1YwukcX0ycLBaeSlVsMpjRGjTuy/gq5z5kLywdkELvjO0kAWc9ta521eU92g
7+ntH0zlrrNLuLXr3ySdtIrasjTDeTwOgndeftJjwkqXiYMsj+XgVBo87KT9nshp
fy77A/pbWQRaCu36+M0W
=kV7z
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: OpenSSL and keytool misery
Posted by Martin Gainty <mg...@hotmail.com>.
apparently the provided cert that came with your P12 is not a X509v3 cert
assuming $1 is the root name of the PEM file
openssl pkcs12 -in $1.p12 -out $1.pem -nodes -clcerts
vi $1.pem
and you should see something like:
</snip>
Key Attributes
X509v3 Key Usage: nn
</snip>
please verify
Martin
> Subject: Re: OpenSSL and keytool misery
> From: dmikusa@gopivotal.com
> Date: Thu, 1 May 2014 08:53:10 -0700
> To: users@tomcat.apache.org
>
> On May 1, 2014, at 7:56 AM, Christopher Schultz <ch...@christopherschultz.net> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > All,
> >
> > I've been trying to convert an OpenSSL-generated key and certificate
> > into a keystore for use with Tomcat. I had given up on this months ago
> > and now I'm resuming my attempts.
> >
> > What I've done so far:
> >
> > 1. Created an RSA private key using openssl
> > 2. Created a certificate request using openssl
> > 3. Obtained a signed certificate from a CA
> > 4. Attempted to combine my key and certificate into a PKCS12 file
> > using openssl:
> >
> > $ openssl pkcs12 -export -in ${HOSTNAME}.crt \
> > -inkey ${HOSTNAME}.key > ${HOSTNAME}.p12
> >
> > 5. Import the PKCS12 store into a Java keystore using keytool:
> >
> > $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
> > -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
> >
> > This is what my keytool now says is in the store:
> >
> > $ keytool -list -keystore conf/${HOSTNAME}.jks
> > Enter keystore password:
> >
> > Keystore type: JKS
> > Keystore provider: SUN
> >
> > Your keystore contains 1 entry
> >
> > 1, May 1, 2014, PrivateKeyEntry,
> > Certificate fingerprint (MD5):
> > EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
> >
> > I set the password for the Java keystore to "changeit". Now, in Tomcat:
> >
> > <Connector port="8443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
> > keystorePass=“changeit"
>
> Have you tried setting keyAlias and keyPass?
>
> Dan
>
> > URIEncoding="UTF-8"
> > sslProtocol="SSL"
> > SSLEnabled="true"
> > scheme="https"
> > secure="true"
> > />
> >
> > (Note that ${HOSTNAME}.jks has been expanded in my actual server.xml
> > file.)
> >
> > Here's what happens when I launch Tomcat:
> >
> > org.apache.catalina.LifecycleException: Failed to initialize component
> > [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
> > at
> > org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
> > 59)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > at
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813
> > )
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
> > )
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
> > .java:25)
> > at java.lang.reflect.Method.invoke(Method.java:597)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
> > Caused by: org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> > ... 12 more
> >
> >
> > Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> > at
> > sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
> > at
> > sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
> > at
> > sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
> > at java.security.KeyStore.getKey(KeyStore.java:763)
> > at
> > com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
> > at
> > com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan
> > agerFactoryImpl.java:48)
> > at
> > javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> > actory.java:560)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> > actory.java:489)
> > at
> > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
> > at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
> > at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
> > at
> > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP
> > rotocol.java:119)
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
> > ... 13 more
> >
> > Have I missed a step somewhere? I know that I'll probably need to
> > import the CA's intermediate certificate at some point, but that
> > shouldn't be necessary, yet.
> >
> > I tried using Portecle, but Portecle can't seem to read my OpenSSL key
> > in the first place. Perhaps I have to convert to PKCS12 format first?
> >
> > Thanks,
> > - -chris
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1
> > Comment: GPGTools - http://gpgtools.org
> > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> >
> > iQIcBAEBCAAGBQJTYmC6AAoJEBzwKT+lPKRYQI0P/R0zPaErMOGUm+AVDspptCHx
> > IokL3ndEvPvfJ80l5chRFGGEQ0xI6etrgLmrvfwpjSgmMy7YkBYkFrjIUVO7xf3Y
> > ETJIV+YZY1YV0ungDU2ogoUOw3lVmYeDs5ocWbJ2MTJN3nkE7qXu6EWlPxrUJKzY
> > tMipZZyPKax0AWunyCttMBC7LkKWYF+zYexSN88cIl/8FvoPIB4cawxvppijjsUu
> > qC/lpW6ldWvtbadCnEIxlhcBencHgAPyFEL/hoElelgh/0t4mzM06DKAKJM9Jziy
> > XpDOWpncJDoV4rfbs23XOD2xeatZ2O4oFMFUyvYtLTIY9wpGA1tUtFSL3rDC6RPS
> > fJxMi+9cBISU6IDlZdSNx25iaCGt8Bs0/fJgpSVAOdw72vkLmBqHObgV69A8XH8t
> > Ph22EoVuLjP9NLVA+ydtA70ipCAebi9Ol/bF5JtUmqSkSjXfckDB0kDcQ+Kb+MRC
> > VRuqpqOjOsNEb7rY7GOFgvIYZ+uU0q1zZ6RzRt/4fGoBXXI9uW7LwK0QI6MGRu74
> > T+Tg4wkSt7NtEssa5hKRWXOCulICQFAbqdxeEwiRiBn47hH7tsRYsh4vmta7f8+q
> > Ff7NRPr7HnCB0V1UpbVac83o8dXWqqMhxwtRDJXqiJsMRNmM+WLHuv8rEc1qtzCr
> > ubiOTOFCusMXtRXsessh
> > =xqs9
> > -----END PGP SIGNATURE-----
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: OpenSSL and keytool misery
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On May 1, 2014, at 7:56 AM, Christopher Schultz <ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> All,
>
> I've been trying to convert an OpenSSL-generated key and certificate
> into a keystore for use with Tomcat. I had given up on this months ago
> and now I'm resuming my attempts.
>
> What I've done so far:
>
> 1. Created an RSA private key using openssl
> 2. Created a certificate request using openssl
> 3. Obtained a signed certificate from a CA
> 4. Attempted to combine my key and certificate into a PKCS12 file
> using openssl:
>
> $ openssl pkcs12 -export -in ${HOSTNAME}.crt \
> -inkey ${HOSTNAME}.key > ${HOSTNAME}.p12
>
> 5. Import the PKCS12 store into a Java keystore using keytool:
>
> $ keytool -importkeystore -srckeystore ${HOSTNAME}.p12 \
> -destkeystore ${HOSTNAME}.jks -srcstoretype pkcs12
>
> This is what my keytool now says is in the store:
>
> $ keytool -list -keystore conf/${HOSTNAME}.jks
> Enter keystore password:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> 1, May 1, 2014, PrivateKeyEntry,
> Certificate fingerprint (MD5):
> EC:FE:0A:7F:12:3D:19:39:DD:82:7A:7D:F9:AE:18:9A
>
> I set the password for the Java keystore to "changeit". Now, in Tomcat:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> keystoreFile="${catalina.base}/conf/${HOSTNAME}.jks"
> keystorePass=“changeit"
Have you tried setting keyAlias and keyPass?
Dan
> URIEncoding="UTF-8"
> sslProtocol="SSL"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> />
>
> (Note that ${HOSTNAME}.jks has been expanded in my actual server.xml
> file.)
>
> Here's what happens when I launch Tomcat:
>
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:5
> 59)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813
> )
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39
> )
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl
> .java:25)
> at java.lang.reflect.Method.invoke(Method.java:597)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
> ... 12 more
>
>
> Caused by: java.security.UnrecoverableKeyException: Cannot recover key
> at
> sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
> at
> sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
> at
> sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
> at java.security.KeyStore.getKey(KeyStore.java:763)
> at
> com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:113)
> at
> com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyMan
> agerFactoryImpl.java:48)
> at
> javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> actory.java:560)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketF
> actory.java:489)
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
> at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseP
> rotocol.java:119)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
> ... 13 more
>
> Have I missed a step somewhere? I know that I'll probably need to
> import the CA's intermediate certificate at some point, but that
> shouldn't be necessary, yet.
>
> I tried using Portecle, but Portecle can't seem to read my OpenSSL key
> in the first place. Perhaps I have to convert to PKCS12 format first?
>
> Thanks,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJTYmC6AAoJEBzwKT+lPKRYQI0P/R0zPaErMOGUm+AVDspptCHx
> IokL3ndEvPvfJ80l5chRFGGEQ0xI6etrgLmrvfwpjSgmMy7YkBYkFrjIUVO7xf3Y
> ETJIV+YZY1YV0ungDU2ogoUOw3lVmYeDs5ocWbJ2MTJN3nkE7qXu6EWlPxrUJKzY
> tMipZZyPKax0AWunyCttMBC7LkKWYF+zYexSN88cIl/8FvoPIB4cawxvppijjsUu
> qC/lpW6ldWvtbadCnEIxlhcBencHgAPyFEL/hoElelgh/0t4mzM06DKAKJM9Jziy
> XpDOWpncJDoV4rfbs23XOD2xeatZ2O4oFMFUyvYtLTIY9wpGA1tUtFSL3rDC6RPS
> fJxMi+9cBISU6IDlZdSNx25iaCGt8Bs0/fJgpSVAOdw72vkLmBqHObgV69A8XH8t
> Ph22EoVuLjP9NLVA+ydtA70ipCAebi9Ol/bF5JtUmqSkSjXfckDB0kDcQ+Kb+MRC
> VRuqpqOjOsNEb7rY7GOFgvIYZ+uU0q1zZ6RzRt/4fGoBXXI9uW7LwK0QI6MGRu74
> T+Tg4wkSt7NtEssa5hKRWXOCulICQFAbqdxeEwiRiBn47hH7tsRYsh4vmta7f8+q
> Ff7NRPr7HnCB0V1UpbVac83o8dXWqqMhxwtRDJXqiJsMRNmM+WLHuv8rEc1qtzCr
> ubiOTOFCusMXtRXsessh
> =xqs9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org