You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Venkataraman Srinivasan <Ve...@gcrta.org> on 2019/09/26 21:30:20 UTC

SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

Hi,
 
I am getting below error while I am starting TOMCAT
 
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
	    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
	    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
	    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
	    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
	    at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
	    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
	    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
	    at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
	    ... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
	    at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
	    at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
	    at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
	    at org.apache.tomcat.util.net.jsse.
++++++++++++++++++++++++++++++++++++++++++++++
 
Environment :
 
Tomcat Version : 8.5.32
Certificate Issuer : Thawte
KeyStore created with : Key Algorithm RSA
CSR Requested with : < NO Key Alogorithm is pased>
Certificate Signature algorithm name: SHA1withRSA  
 
 
Connector Entry in server.xml
 

    <Connector port="8443" scheme="https" secure="true" SSLEnabled="true">
	  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
	  defaultSSLHostConfigName="https://blabla.bla.org:8443"
	  protocol="org.apache.coyote.http11.Http11NioProtocol"
	  maxThreads="200"
	  enableLookups="false"
	  clientAuth="false"
	  acceptCount="10"
	  SSLEnabled="true"
	  connectionTimeout="60000"
	  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
	  <SSLHostConfig hostName="https://blabla.bla.org:8443" >
	    <Certificate
			  certificateFile="key_store/ssl_certificate.p7b"
			  certificateAlias="bla"
			  keystoreFile="/key_store/blabla.jks" type="RSA"
			  keystoreType="JKS"
			  keyChainFile="key_store/linux_apex_inter_x509.cer"
			  keystorePassword="<password" />
	  sslProtocols="+TLS+TLSv1.2+TLSv1.3"
	  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
	   </SSLHostConfig>
   </Connector>
 
 
Thanks
Venkat

Re: SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

Posted by Rémy Maucherat <re...@apache.org>.

On Fri, Sep 27, 2019 at 9:40 AM Mark Thomas <ma...@apache.org> wrote:

> >         <Certificate
> >               certificateFile="key_store/ssl_certificate.p7b"
> >               certificateAlias="bla"
> >               keystoreFile="/key_store/blabla.jks" type="RSA"
> >               keystoreType="JKS"
> >               keyChainFile="key_store/linux_apex_inter_x509.cer"
> >               keystorePassword="<password" />
>
> We need to exactly how each of the following files were created and/or
> exactly what is in each file:
>
> - ssl_certificate.p7b
> - blabla.jks
> - linux_apex_inter_x509.cer
>
> It might be as simple as you need to import the p7b file into the
> keystore and remove the certificateFile setting. But that is just a wild
> guess without knowing what is in those files.
>

I'm a bit lost here.

Normally certificateFile and keystoreFile should be "exclusive" (if
keystoreFile is set, then certificateFile will be ignored - it seems it
could be nice to add a warning ...), and I don't know about a keyChainFile
attribute either (I verified I get a proper "WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector/SSLHostConfig/Certificate}
Setting property 'keyChainFile' to 'foobar' did not find a matching
property." in my logs).

So the config should be looked at again first, I think only keystoreFile
will be used and it will be the cause of the error.

Since you made plenty of special cases fixes since 8.5.32 for this, Venkat
should probably first test again with 8.5.46 (IMO).

Rémy

> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

SSL issue : java.security.KeyStoreException: Cannot store non-PrivateKeys

Posted by Venkataraman Srinivasan <Ve...@gcrta.org>.

Hi,
 
I am getting below error while I am starting TOMCAT
 
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
	    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116)
	    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87)
	    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
	    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1086)
	    at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:268)
	    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
	    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
	    at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
	    ... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
	    at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:250)
	    at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:55)
	    at java.security.KeyStore.setKeyEntry(KeyStore.java:909)
	    at org.apache.tomcat.util.net.jsse.
++++++++++++++++++++++++++++++++++++++++++++++
 
Environment :
 
Tomcat Version : 8.5.32
Certificate Issuer : Thawte
KeyStore created with : Key Algorithm RSA
CSR Requested with : < NO Key Alogorithm is pased>
Certificate Signature algorithm name: SHA1withRSA  
 
 
Connector Entry in server.xml
 

    <Connector port="8443" scheme="https" secure="true" SSLEnabled="true">
	  sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
	  defaultSSLHostConfigName="https://blabla.bla.org:8443"
	  protocol="org.apache.coyote.http11.Http11NioProtocol"
	  maxThreads="200"
	  enableLookups="false"
	  clientAuth="false"
	  acceptCount="10"
	  SSLEnabled="true"
	  connectionTimeout="60000"
	  <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
	  <SSLHostConfig hostName="https://blabla.bla.org:8443" >
	    <Certificate
			  certificateFile="key_store/ssl_certificate.p7b"
			  certificateAlias="bla"
			  keystoreFile="/key_store/blabla.jks" type="RSA"
			  keystoreType="JKS"
			  keyChainFile="key_store/linux_apex_inter_x509.cer"
			  keystorePassword="<password" />
	  sslProtocols="+TLS+TLSv1.2+TLSv1.3"
	  ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
	   </SSLHostConfig>
   </Connector>
 
 
Thanks
Venkat