Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Invalid keystore format with SSL in Tomcat 6

Tags:

ssl

tomcat6

I'm trying to setup SSL in my local Tomcat 6 installation. For this, I followed the official How-To doing the following:

$JAVA_HOME/bin/keytool -genkey -v -keyalg RSA -alias
          tomcat -keypass changeit -storepass changeit
$JAVA_HOME/bin/keytool -export -alias tomcat -storepass
          changeit -file /root/server.crt

Then changing the $CATALINA_BASE/conf/server.xml, in-commenting this:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="/root/.keystore" keystorePass="changeit" />

After starting Tomcat, I get this Exception:

INFO: Initializing Coyote HTTP/1.1 on http-8080
30.06.2011 10:15:24 org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SCHWERWIEGEND: Failed to load keystore type JKS with path /root/.keystore
due to Invalid keystore format
java.io.IOException: Invalid keystore format
      at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633)
      at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
      at java.security.KeyStore.load(KeyStore.java:1185)

When I look into the keystore with keytool -list I get

root@host:~# $JAVA_HOME/bin/keytool -list
Enter key store password: changeit
Key store type: gkr
Key store provider: GNU-CRYPTO

Key store contains 1 entry(ies)

Alias name: tomcat
Creation timestamp: Donnerstag, 30. Juni 2011 - 10:13:40 MESZ
Entry type: key-entry
Certificate fingerprint (MD5): 6A:B9:...C:89:1C

Obviously, the keystore types are different. How can I change the type and will this fix my problem? Thank you!

like image 521
strauberry Avatar asked Jun 30 '11 13:06

strauberry

2 Answers

It looks like the keytool you're using the GNU implementation, not the one from Oracle/Sun or OpenJDK. From the output of keytool -list, it generates a gkr store type, which is a GNU Keyring Store.

I'm not sure whether your run Apache Tomcat using an OpenJDK or Sun/Oracle JRE, in which case this format wouldn't be supported without additional security providers.

If you run Apache Tomcat with a GNU JRE that supports gkr (or at least a JRE where you've added a security provider that supports gkr), you can try keystoreType="gkr" in your <Connector /> configuration.

However, the easiest is probably to use keytool as provided by Oracle or OpenJDK and use the JKS storetype (which would be the default type if you run Apache Tomcat with the OpenJDK or Sun/Oracle JRE). It was probably installed with your JRE but it doesn't look like the $JAVA_HOME you're using point to an Oracle or OpenJDK JAVA_HOME. Some Linux distributions have mechanisms to install multiple JREs and configure links (update-alternatives in the Debian/Ubuntu family).

(As a side-note, it's usually not recommended to run Apache Tomcat as root, which you seem to be doing since $HOME/.keystore is /root/.keystore in your example.)

like image 146
Bruno Avatar answered Oct 16 '22 11:10

Bruno

As Bruno said, I used the "wrong" keytool!

There are those keytools on my Debian 6 installation

root@host:~# locate keytool
/etc/alternatives/keytool
/etc/alternatives/keytool.1.gz
/root/glassfish3/jdk/bin/keytool
/root/glassfish3/jdk/jre/bin/keytool
/root/glassfish3/jdk/man/ja_JP.eucJP/man1/keytool.1
/root/glassfish3/jdk/man/man1/keytool.1
/root/glassfish3/mq/bin/imqkeytool
/root/glassfish3/mq/bin/imqkeytool.exe
/usr/bin/gkeytool
/usr/bin/gkeytool-4.4
/usr/bin/keytool
/usr/bin/jre1.6.0_25/bin/keytool
/usr/bin/jre1.6.0_25/man/ja_JP.eucJP/man1/keytool.1
/usr/bin/jre1.6.0_25/man/man1/keytool.1
/usr/lib/jvm/java-1.5.0-gcj-4.4/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/jre/bin/keytool
/usr/lib/jvm/java-1.5.0-gcj-4.4/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/bin/keytool
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/jre/man/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/ja/man1/keytool.1.gz
/usr/lib/jvm/java-6-sun-1.6.0.24/man/man1/keytool.1.gz
/usr/share/man/man1/gkeytool-4.4.1.gz
/usr/share/man/man1/gkeytool.1.gz
/usr/share/man/man1/keytool.1.gz
/var/lib/dpkg/alternatives/keytool
root@host:~# echo $JAVA_HOME
/usr

Now I used

/usr/lib/jvm/java-6-sun-1.6.0.24/bin/keytool -genkey -v -keyalg RSA -alias tomcat
-keypass changeit -storepass changeit

To create the keystore- file. Tomcat starts without any problems!

like image 45
strauberry Avatar answered Oct 16 '22 11:10

strauberry
Sign in to Comment

Related questions

php 5.6 ssl certificate verify
Is it safe to test the X509Certificate.Thumbprint property when you know an invalid certificate is safe?
using certbot-auto for nginx
Convert private key in PEM format
angular and self-signed SSL cert - ERR_INSECURE_RESPONSE
Android: prevent sniffing (e.g. with CharlesProxy) of SSL traffic
How to switch between using SHA-2 instead of SHA-1?
nginx: forward ssl connection to another server
JDBC parameter verifyServerCertificate=false connects without the need for a clientkeystore and truststore
Retrofit with OKHTTP3 certification pinning
iOS 10.3: Simulator HTTPS localhost: SSL Error
Issue with Self Signed Cert in WCF - Must have Private Key
How do I install SSL certificates on OS X so I can clone projects from Github?
keytool can't find alias
Simple example using Erlang for https post
Custom nginx error page for "The SSL certificate error"
Apache - AH00341: winnt_accept: Asynchronous AcceptEx failed
Can't use Amazon S3 API over SSL?
How to install ssl certificate on aws ec2 apache2 ubuntu? [closed]
What is the best practice for auto switching from HTTP to HTTPS

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!