You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Janardhanan, Veni" <vj...@trueblue.com> on 2023/01/02 17:20:19 UTC
RE: Invalid Keystore format error on Tomcat
Chris,
This is the output I have (removed all identifying information :
C:\Windows\system32>"C:\Program Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -v -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: 1
Creation date: Jan 2, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Serial number:
Valid from: Fri Dec 23 15:06:53 UTC 2022 until: Sun Dec 22 15:06:53 UTC 2024
Certificate fingerprints:
SHA1: 1A:50:88:EA:A3:32:B2:6B:AA:7A:B9:BE:FC:F7:88:AA:1B:D3:70:1D
SHA256: 74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
0000: 30 18 30 0A 06 08 2B 06 01 05 05 07 03 02 30 0A 0.0...+.......0.
0010: 06 08 2B 06 01 05 05 07 03 01 ..+.......
#2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
0000: 30 2D 06 25 2B 06 01 04 01 82 37 15 08 9F CA 77 0-.%+.....7....w
0010: 82 92 8A 00 87 85 81 26 87 90 F7 3E 83 CD B8 67 .......&...>...g
0020: 81 3A 83 91 A4 6F AE 93 26 02 01 65 02 01 01 .:...o..&..e...
#3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName:
,
accessMethod: caIssuers
accessLocation: URIName:
]
]
#4: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9E E8 BB AF 02 19 D1 DE 3B 5D 84 AD 66 94 FC E1 ........;]..f...
0010: 6D AC 2D F7 m.-.
]
]
#5: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap
]]
#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
clientAuth
serverAuth
]
#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]
#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName:
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 7C 13 0C DA 4F AF 78 B8 6E DE 2F 29 46 9E 20 E6 ....O.x.n./)F. .
0010: FC F4 5D 36 ..]6
]
]
*******************************************
Thanks,
Veni
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Friday, December 30, 2022 8:39 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Invalid Keystore format error on Tomcat
Veni, On 12/30/22 00: 47, Janardhanan, Veni wrote: > This is the output from C: > keytool -list -keystore > C: \SSL\certnew_pfx. pfx -storetype PKCS12 (copy pasted the password as > suggested by you): > > C: \Windows\system32>"C: \Program
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message came from outside your organization.
ZjQcmQRYFpfptBannerEnd
Veni,
On 12/30/22 00:47, Janardhanan, Veni wrote:
> This is the output from C:> keytool -list -keystore
> C:\SSL\certnew_pfx.pfx -storetype PKCS12 (copy pasted the password as
> suggested by you):
>
> C:\Windows\system32>"C:\Program
> Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -list -keystore
> C:\SSL\certnew_pfx.pfx -storetype PKCS12
>
> Enter keystore password:
>
> Keystore type: PKCS12
>
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> 1, Dec 30, 2022, PrivateKeyEntry,
>
> Certificate fingerprint (SHA-256):
> 74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB
This is ... very strange.
Are you sure that Tomcat is running with the same JVM as your keytool
command? (This really shouldn't matter, but the symptoms you report are
strange indeed so I'm looking for anyting that might explain it.)
Can you run a similar command but with -v and post the results? Please
remove any identifying information such as the hostname/CN/SAN from the
certificate if you don't want to share those.
I'm preimarily interested in information like this:
Certificate fingerprints:
SHA1: ED:BE:F0:43:64:3A:D9:65:36:15:00:51:55:09:9B:67:36:2A:7A:CB
SHA256:
01:B8:6D:AA:FB:78:A8:6F:88:D7:FE:21:15:D6:7D:CF:F5:E3:F5:39:FA:37:A7:D8:BC:79:E2:08:5E:B9:33:DF
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
> Am fine with the email based support.
;)
-chris
> *From:*Christopher Schultz <ch...@christopherschultz.net>>
> *Sent:* Friday, December 30, 2022 3:47 AM
> *To:* Tomcat Users List <us...@tomcat.apache.org>>; Janardhanan, Veni
> <vj...@trueblue.com>>
> *Subject:* Re: Invalid Keystore format error on Tomcat
>
> Veni, On 12/29/22 04: 30, Janardhanan, Veni wrote: > When I start Tomcat
> this is what I see in the logs : (this is after I installed a CA signed
> trusted certificate on Tomcat). I’ve done the CA certificate install
> earlier on a different box
>
> ZjQcmQRYFpfptBannerStart
>
> *This Message Is From an External Sender *
>
> This message came from outside your organization.
>
> ZjQcmQRYFpfptBannerEnd
>
> Veni,
>
> On 12/29/22 04:30, Janardhanan, Veni wrote:
>
>> When I start Tomcat this is what I see in the logs : (this is after I installed a CA signed trusted certificate on Tomcat). I’ve done the CA certificate install earlier on a different box and it worked fine, followed the same steps this time but seems to error out. Any thoughts/suggestions really appreciated. Both were on same versions of Windows on similar environments, no obvious differences at all.
>
>>
>
>> SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
>
>> org.apache.catalina.LifecycleException: Protocol handler initialization failed
>
>> at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
>
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>> at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
>
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>> at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059)
>
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>> at java.lang.reflect.Method.invoke(Method.java:498)
>
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)
>
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>
>> Caused by: java.lang.IllegalArgumentException: Invalid keystore format
>
>> at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
>
>> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
>
>> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
>
>> at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
>
>> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
>
>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
>
>> at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>
>> at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
>
>>
>
>> When I have the self-signed certificate on Tomcat, am able to access my Crystal server’s Admin Console (except that it says ‘site is not secure’). My attempt it to try and secure the server here. The windows box has SAP BO BI 4.3 installed on it and Tomcat is the web server used.
>
>>
>
> Okay. What does this display:
>
> C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12
>
> ?
>
> Copy/paste the password from your certificateKeystorePassword and make
>
> sure there are no complaints.
>
>> Hope this clarifies. If we need to do a screenshare/call, please reac
>
>> out to me.
>
> I'm happy to give email-based support for free, at my convenience. If
>
> you want me to help you and your team debug something in real-time, I
>
> can bill you for my time.
>
> -chris
>
>> From: Christopher Schultz <chris@christopherschultz.net <ma...@christopherschultz.net>>>
>
>> Sent: Wednesday, December 28, 2022 12:49 AM
>
>> To: users@tomcat.apache.org<ma...@tomcat.apache.org> <ma...@tomcat.apache.org>
>
>> Subject: Re: Invalid Keystore format error on Tomcat
>
>>
>
>> Veni, On 12/23/22 12: 16, Janardhanan, Veni wrote: > Hi, > > I’ve a self-signed certificate installed on Tomcat 9 which works fine. This is a Crystal Server SAP BO BI 4. 3 box. > To make it secure I installed our CA signed certificate.
>
>> ZjQcmQRYFpfptBannerStart
>
>> This Message Is From an External Sender
>
>> This message came from outside your organization.
>
>> ZjQcmQRYFpfptBannerEnd
>
>>
>
>> Veni,
>
>>
>
>>
>
>>
>
>> On 12/23/22 12:16, Janardhanan, Veni wrote:
>
>>
>
>>> Hi,
>
>>
>
>>>
>
>>
>
>>> I’ve a self-signed certificate installed on Tomcat 9 which works fine. This is a Crystal Server SAP BO BI 4.3 box.
>
>>
>
>>> To make it secure I installed our CA signed certificate. After a restart I brought Tomcat up, the logs show ‘Invalid Keystore format’ error.
>
>>
>
>>>
>
>>
>
>>> Below is the config from server.xml.
>
>>
>
>>>
>
>>
>
>>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>
>>
>
>>> compressionMinSize="2048" URIEncoding="UTF-8" compression="on"
>
>>
>
>>> certificateKeyAlias="xxxxxxxx.corp.xxxxxxx.com"
>
>>
>
>>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/javascript,application/json"
>
>>
>
>>> maxThreads="200" scheme="https" secure="true" SSLEnabled="true">
>
>>
>
>>> <SSLHostConfig>
>
>>
>
>>> <Certificate certificateKeystoreFile="C:/SSL/certnew_pfx.pfx"
>
>>
>
>>> certificateKeystorePassword="Crystal!@#" keystoreType="PKCS12"
>
>>
>
>>> type="RSA" />
>
>>
>
>>> </SSLHostConfig>
>
>>
>
>>> </Connector>
>
>>
>
>>>
>
>>
>
>>> Please suggest. Am stuck at this point unable to proceed further, any hints/thoughts highly appreciated!
>
>>
>
>>
>
>>
>
>> I'm sorry, I didn't realize that this was essentially a re-post of your
>
>>
>
>> previous thread with subject "Install CA signed certificate on Tomcat 9".
>
>>
>
>>
>
>>
>
>> I see this was what was in your keystore:
>
>>
>
>>
>
>>
>
>> Your keystore contains 2 entries
>
>>
>
>>
>
>>
>
>> tomcat, Sep 8, 2022, PrivateKeyEntry,
>
>>
>
>> Certificate fingerprint (SHA-256):
>
>>
>
>> 8B:1D:5B:59:86:39:A5:CD:AB:2A:4A:45:13:2B:82:A1:44:CD:8A:E7:20:96:5A:02:0F:73:E3:5A:A6:DB:B6:FD
>
>>
>
>> tomcat1, Sep 29, 2022, trustedCertEntry,
>
>>
>
>> Certificate fingerprint (SHA-256):
>
>>
>
>> 1F:A1:D5:1A:AD:5C:57:6C:B8:90:D8:CA:D1:89:2D:E1:1E:1F:7E:78:D2:19:72:CE:CC:3B:25:03:DE:0F:E1:B6
>
>>
>
>>
>
>>
>
>> On 23 Dec you said "when I access the Central Management Console, the
>
>>
>
>> browser shows site as ‘Not Secure’".
>
>>
>
>>
>
>>
>
>> What is the Central Management Console?
>
>>
>
>>
>
>>
>
>> Is Tomcat able to start without throwing any errors in the log files?
>
>>
>
>>
>
>>
>
>> Are you able to reach the site, but get a browser warning that it's
>
>>
>
>> "insecure"? I just want to make sure we are solving he right problem.
>
>>
>
>>
>
>>
>
>> -chris
>
>>
>
>>
>
>>
>
>> ---------------------------------------------------------------------
>
>>
>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org> <ma...@tomcat.apache.org>>
>
>>
>
>> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
> <ma...@tomcat.apache.org>>
>
>>
>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
Re: Invalid Keystore format error on Tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Veni,
On 1/2/23 12:20, Janardhanan, Veni wrote:
> Chris,
>
> This is the output I have (removed all identifying information :
>
> C:\Windows\system32>"C:\Program Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -v -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12
> Enter keystore password:
> Keystore type: PKCS12
> Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: 1
> Creation date: Jan 2, 2023
> Entry type: PrivateKeyEntry
> Certificate chain length: 1
> Certificate[1]:
> Serial number:
> Valid from: Fri Dec 23 15:06:53 UTC 2022 until: Sun Dec 22 15:06:53 UTC 2024
> Certificate fingerprints:
> SHA1: 1A:50:88:EA:A3:32:B2:6B:AA:7A:B9:BE:FC:F7:88:AA:1B:D3:70:1D
> SHA256: 74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB
> Signature algorithm name: SHA256withRSA
> Subject Public Key Algorithm: 2048-bit RSA key
> Version: 3
>
> Extensions:
>
> #1: ObjectId: 1.3.6.1.4.1.311.21.10 Criticality=false
> 0000: 30 18 30 0A 06 08 2B 06 01 05 05 07 03 02 30 0A 0.0...+.......0.
> 0010: 06 08 2B 06 01 05 05 07 03 01 ..+.......
>
>
> #2: ObjectId: 1.3.6.1.4.1.311.21.7 Criticality=false
> 0000: 30 2D 06 25 2B 06 01 04 01 82 37 15 08 9F CA 77 0-.%+.....7....w
> 0010: 82 92 8A 00 87 85 81 26 87 90 F7 3E 83 CD B8 67 .......&...>...g
> 0020: 81 3A 83 91 A4 6F AE 93 26 02 01 65 02 01 01 .:...o..&..e...
>
>
> #3: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
> AuthorityInfoAccess [
> [
> accessMethod: caIssuers
> accessLocation: URIName:
> ,
> accessMethod: caIssuers
> accessLocation: URIName:
> ]
> ]
>
> #4: ObjectId: 2.5.29.35 Criticality=false
> AuthorityKeyIdentifier [
> KeyIdentifier [
> 0000: 9E E8 BB AF 02 19 D1 DE 3B 5D 84 AD 66 94 FC E1 ........;]..f...
> 0010: 6D AC 2D F7 m.-.
> ]
> ]
>
> #5: ObjectId: 2.5.29.31 Criticality=false
> CRLDistributionPoints [
> [DistributionPoint:
> [URIName: ldap
> ]]
>
> #6: ObjectId: 2.5.29.37 Criticality=false
> ExtendedKeyUsages [
> clientAuth
> serverAuth
> ]
>
> #7: ObjectId: 2.5.29.15 Criticality=true
> KeyUsage [
> DigitalSignature
> Key_Encipherment
> ]
>
> #8: ObjectId: 2.5.29.17 Criticality=false
> SubjectAlternativeName [
> DNSName:
> ]
>
> #9: ObjectId: 2.5.29.14 Criticality=false
> SubjectKeyIdentifier [
> KeyIdentifier [
> 0000: 7C 13 0C DA 4F AF 78 B8 6E DE 2F 29 46 9E 20 E6 ....O.x.n./)F. .
> 0010: FC F4 5D 36 ..]6
> ]
> ]
For KeyUsages, I'd expect to see:
DigitalSignature (yours has this)
Key_CertSign (yours is missing this)
Crl_Sign
Who signed this certificate? Which Certificaaate Authority?
Can you compare your self-signed certificate with the one signed by the
CA and look at the KeyUsage section to see if they are different? It
looks like maybe either the CSR you are sending to the CA is a little
strange, or the response from the CA is strange.
Finally, can you please post the version of Tomcat that is being used
and the complete stack trace for the error?
-chris
> From: Christopher Schultz <ch...@christopherschultz.net>
> Sent: Friday, December 30, 2022 8:39 PM
> To: Tomcat Users List <us...@tomcat.apache.org>
> Subject: Re: Invalid Keystore format error on Tomcat
>
> Veni, On 12/30/22 00: 47, Janardhanan, Veni wrote: > This is the output from C: > keytool -list -keystore > C: \SSL\certnew_pfx. pfx -storetype PKCS12 (copy pasted the password as > suggested by you): > > C: \Windows\system32>"C: \Program
> ZjQcmQRYFpfptBannerStart
> This Message Is From an External Sender
> This message came from outside your organization.
> ZjQcmQRYFpfptBannerEnd
>
> Veni,
>
>
>
> On 12/30/22 00:47, Janardhanan, Veni wrote:
>
>> This is the output from C:> keytool -list -keystore
>
>> C:\SSL\certnew_pfx.pfx -storetype PKCS12 (copy pasted the password as
>
>> suggested by you):
>
>>
>
>> C:\Windows\system32>"C:\Program
>
>> Files\RedHat\java-11-openjdk-11.0.13-1\bin\keytool" -list -keystore
>
>> C:\SSL\certnew_pfx.pfx -storetype PKCS12
>
>>
>
>> Enter keystore password:
>
>>
>
>> Keystore type: PKCS12
>
>>
>
>> Keystore provider: SUN
>
>>
>
>> Your keystore contains 1 entry
>
>>
>
>> 1, Dec 30, 2022, PrivateKeyEntry,
>
>>
>
>> Certificate fingerprint (SHA-256):
>
>> 74:AB:90:B7:B9:89:1B:30:3A:CF:9A:1A:30:48:5F:D7:AC:39:87:CD:AE:E7:E3:92:69:49:D2:A8:6B:5D:FB:EB
>
>
>
> This is ... very strange.
>
>
>
> Are you sure that Tomcat is running with the same JVM as your keytool
>
> command? (This really shouldn't matter, but the symptoms you report are
>
> strange indeed so I'm looking for anyting that might explain it.)
>
>
>
> Can you run a similar command but with -v and post the results? Please
>
> remove any identifying information such as the hostname/CN/SAN from the
>
> certificate if you don't want to share those.
>
>
>
> I'm preimarily interested in information like this:
>
>
>
> Certificate fingerprints:
>
> SHA1: ED:BE:F0:43:64:3A:D9:65:36:15:00:51:55:09:9B:67:36:2A:7A:CB
>
> SHA256:
>
> 01:B8:6D:AA:FB:78:A8:6F:88:D7:FE:21:15:D6:7D:CF:F5:E3:F5:39:FA:37:A7:D8:BC:79:E2:08:5E:B9:33:DF
>
> Signature algorithm name: SHA256withECDSA
>
> Subject Public Key Algorithm: 256-bit EC (secp256r1) key
>
>
>
> > Am fine with the email based support.
>
>
>
> ;)
>
>
>
> -chris
>
>
>
>> *From:*Christopher Schultz <ch...@christopherschultz.net>>
>
>> *Sent:* Friday, December 30, 2022 3:47 AM
>
>> *To:* Tomcat Users List <us...@tomcat.apache.org>>; Janardhanan, Veni
>
>> <vj...@trueblue.com>>
>
>> *Subject:* Re: Invalid Keystore format error on Tomcat
>
>>
>
>> Veni, On 12/29/22 04: 30, Janardhanan, Veni wrote: > When I start Tomcat
>
>> this is what I see in the logs : (this is after I installed a CA signed
>
>> trusted certificate on Tomcat). I’ve done the CA certificate install
>
>> earlier on a different box
>
>>
>
>> ZjQcmQRYFpfptBannerStart
>
>>
>
>> *This Message Is From an External Sender *
>
>>
>
>> This message came from outside your organization.
>
>>
>
>> ZjQcmQRYFpfptBannerEnd
>
>>
>
>> Veni,
>
>>
>
>> On 12/29/22 04:30, Janardhanan, Veni wrote:
>
>>
>
>>> When I start Tomcat this is what I see in the logs : (this is after I installed a CA signed trusted certificate on Tomcat). I’ve done the CA certificate install earlier on a different box and it worked fine, followed the same steps this time but seems to error out. Any thoughts/suggestions really appreciated. Both were on same versions of Windows on similar environments, no obvious differences at all.
>
>>
>
>>>
>
>>
>
>>> SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
>
>>
>
>>> org.apache.catalina.LifecycleException: Protocol handler initialization failed
>
>>
>
>>> at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
>
>>
>
>>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
>>> at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
>
>>
>
>>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
>>> at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1059)
>
>>
>
>>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
>>> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>
>>
>
>>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>
>>
>
>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>
>>
>
>>> at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>
>>
>
>>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
>>
>
>>> at java.lang.reflect.Method.invoke(Method.java:498)
>
>>
>
>>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:304)
>
>>
>
>>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:474)
>
>>
>
>>> Caused by: java.lang.IllegalArgumentException: Invalid keystore format
>
>>
>
>>> at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
>
>>
>
>>> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
>
>>
>
>>> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218)
>
>>
>
>>> at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124)
>
>>
>
>>> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1137)
>
>>
>
>>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:574)
>
>>
>
>>> at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>
>>
>
>>> at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
>
>>
>
>>>
>
>>
>
>>> When I have the self-signed certificate on Tomcat, am able to access my Crystal server’s Admin Console (except that it says ‘site is not secure’). My attempt it to try and secure the server here. The windows box has SAP BO BI 4.3 installed on it and Tomcat is the web server used.
>
>>
>
>>>
>
>>
>
>> Okay. What does this display:
>
>>
>
>> C:> keytool -list -keystore C:\SSL\certnew_pfx.pfx -storetype PKCS12
>
>>
>
>> ?
>
>>
>
>> Copy/paste the password from your certificateKeystorePassword and make
>
>>
>
>> sure there are no complaints.
>
>>
>
>>> Hope this clarifies. If we need to do a screenshare/call, please reac
>
>>
>
>>> out to me.
>
>>
>
>> I'm happy to give email-based support for free, at my convenience. If
>
>>
>
>> you want me to help you and your team debug something in real-time, I
>
>>
>
>> can bill you for my time.
>
>>
>
>> -chris
>
>>
>
>>> From: Christopher Schultz <chris@christopherschultz.net <ma...@christopherschultz.net>>>
>
>>
>
>>> Sent: Wednesday, December 28, 2022 12:49 AM
>
>>
>
>>> To: users@tomcat.apache.org<ma...@tomcat.apache.org> <ma...@tomcat.apache.org>
>
>>
>
>>> Subject: Re: Invalid Keystore format error on Tomcat
>
>>
>
>>>
>
>>
>
>>> Veni, On 12/23/22 12: 16, Janardhanan, Veni wrote: > Hi, > > I’ve a self-signed certificate installed on Tomcat 9 which works fine. This is a Crystal Server SAP BO BI 4. 3 box. > To make it secure I installed our CA signed certificate.
>
>>
>
>>> ZjQcmQRYFpfptBannerStart
>
>>
>
>>> This Message Is From an External Sender
>
>>
>
>>> This message came from outside your organization.
>
>>
>
>>> ZjQcmQRYFpfptBannerEnd
>
>>
>
>>>
>
>>
>
>>> Veni,
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> On 12/23/22 12:16, Janardhanan, Veni wrote:
>
>>
>
>>>
>
>>
>
>>>> Hi,
>
>>
>
>>>
>
>>
>
>>>>
>
>>
>
>>>
>
>>
>
>>>> I’ve a self-signed certificate installed on Tomcat 9 which works fine. This is a Crystal Server SAP BO BI 4.3 box.
>
>>
>
>>>
>
>>
>
>>>> To make it secure I installed our CA signed certificate. After a restart I brought Tomcat up, the logs show ‘Invalid Keystore format’ error.
>
>>
>
>>>
>
>>
>
>>>>
>
>>
>
>>>
>
>>
>
>>>> Below is the config from server.xml.
>
>>
>
>>>
>
>>
>
>>>>
>
>>
>
>>>
>
>>
>
>>>> <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
>
>>
>
>>>
>
>>
>
>>>> compressionMinSize="2048" URIEncoding="UTF-8" compression="on"
>
>>
>
>>>
>
>>
>
>>>> certificateKeyAlias="xxxxxxxx.corp.xxxxxxx.com"
>
>>
>
>>>
>
>>
>
>>>> compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,text/json,application/javascript,application/json"
>
>>
>
>>>
>
>>
>
>>>> maxThreads="200" scheme="https" secure="true" SSLEnabled="true">
>
>>
>
>>>
>
>>
>
>>>> <SSLHostConfig>
>
>>
>
>>>
>
>>
>
>>>> <Certificate certificateKeystoreFile="C:/SSL/certnew_pfx.pfx"
>
>>
>
>>>
>
>>
>
>>>> certificateKeystorePassword="Crystal!@#" keystoreType="PKCS12"
>
>>
>
>>>
>
>>
>
>>>> type="RSA" />
>
>>
>
>>>
>
>>
>
>>>> </SSLHostConfig>
>
>>
>
>>>
>
>>
>
>>>> </Connector>
>
>>
>
>>>
>
>>
>
>>>>
>
>>
>
>>>
>
>>
>
>>>> Please suggest. Am stuck at this point unable to proceed further, any hints/thoughts highly appreciated!
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> I'm sorry, I didn't realize that this was essentially a re-post of your
>
>>
>
>>>
>
>>
>
>>> previous thread with subject "Install CA signed certificate on Tomcat 9".
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> I see this was what was in your keystore:
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Your keystore contains 2 entries
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> tomcat, Sep 8, 2022, PrivateKeyEntry,
>
>>
>
>>>
>
>>
>
>>> Certificate fingerprint (SHA-256):
>
>>
>
>>>
>
>>
>
>>> 8B:1D:5B:59:86:39:A5:CD:AB:2A:4A:45:13:2B:82:A1:44:CD:8A:E7:20:96:5A:02:0F:73:E3:5A:A6:DB:B6:FD
>
>>
>
>>>
>
>>
>
>>> tomcat1, Sep 29, 2022, trustedCertEntry,
>
>>
>
>>>
>
>>
>
>>> Certificate fingerprint (SHA-256):
>
>>
>
>>>
>
>>
>
>>> 1F:A1:D5:1A:AD:5C:57:6C:B8:90:D8:CA:D1:89:2D:E1:1E:1F:7E:78:D2:19:72:CE:CC:3B:25:03:DE:0F:E1:B6
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> On 23 Dec you said "when I access the Central Management Console, the
>
>>
>
>>>
>
>>
>
>>> browser shows site as ‘Not Secure’".
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> What is the Central Management Console?
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Is Tomcat able to start without throwing any errors in the log files?
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> Are you able to reach the site, but get a browser warning that it's
>
>>
>
>>>
>
>>
>
>>> "insecure"? I just want to make sure we are solving he right problem.
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> -chris
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>>> ---------------------------------------------------------------------
>
>>
>
>>>
>
>>
>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org> <ma...@tomcat.apache.org>>
>
>>
>
>>>
>
>>
>
>>> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>
>> <ma...@tomcat.apache.org>>
>
>>
>
>>>
>
>>
>
>>>
>
>>
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
>
> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org