java OpenSSL 证书在 tomcat 8 中给出了“无效的密钥库格式”
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/29667008/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
OpenSSL certificate is giving 'Invalid keystore format' in tomcat 8
提问by Krishna
I am using tomcat 8 and need to make it SSL, So I use openSSL to generate self signed certificate and configured the same in tomcat's server.xml file. But I am getting the below exception
我正在使用 tomcat 8 并需要使其成为 SSL,所以我使用 openSSL 生成自签名证书并在 tomcat 的 server.xml 文件中配置相同。但我收到以下异常
INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-7443"]
16-Apr-2015 09:50:56.647 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["http-nio-7443"]
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1433)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:424)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:323)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:581)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:521)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:730)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Write failed: Broken pipegMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43
回答by exoddus
That trace points to invalid format on your keystore.
该跟踪指向您的密钥库上的无效格式。
Check this:
检查这个:
keytool -list -v -keystore keystore.jks
Are certificates listed in your keystore?
您的密钥库中是否列出了证书?
If you generated it with OpenSSL maybe you are generating a pkcs12 and if you import this and use a Connectoron Tomcat without specifying the format, according to the default keyStoreType value, it's setted as "JKS".
如果您使用 OpenSSL 生成它,那么您可能正在生成一个 pkcs12,如果您导入它并在 Tomcat 上使用连接器而不指定格式,则根据默认的 keyStoreType 值,它被设置为“JKS”。
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
https://tomcat.apache.org/tomcat-8.0-doc/config/http.html
keystoreType The type of keystore file to be used for the server certificate. If not specified, the default value is "JKS".
keystoreType 用于服务器证书的密钥库文件的类型。如果未指定,则默认值为“JKS”。
Using keytool:
使用密钥工具:
I suggest: try to generate the keystore with keytool (for me it's easier): https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn45301e6e=2
我建议:尝试使用 keytool 生成密钥库(对我来说更容易):https: //www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn45301e6e=2
Generate a keystore and self-signed certificate:
生成密钥库和自签名证书:
keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048
Using PKCS12
使用 PKCS12
Or if you pefer, you can also use a PKCS12 (if it's your case) with Tomcat:
或者,如果您愿意,也可以将 PKCS12(如果是您的情况)与 Tomcat 一起使用:
Edit the JAVA_HOME/jre/lib/security/java.security file and change the default keystore type:
编辑 JAVA_HOME/jre/lib/security/java.security 文件并更改默认密钥库类型:
# Default keystore type.
keystore.type=pkcs12
Then configure your Connector with something similar to:
然后使用类似于以下内容的内容配置您的连接器:
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="yourKey.p12"
keystorePass="endeca"
truststoreType="PKCS12"
truststoreFile="yourKey.p12"
truststorePass="pass" />
