I (somewhat sadly, imo) need to run Tomcat/SSL on a public-facing
machine at work. I was really, really hoping I could use the
GCJ-compiled version of Tomcat supplied in the base repository.
I can't get Tomcat to read a Java keystore created with the keytool
utility provided (in java-1.4.2-gcj-compat-1.4.2.0-40jpp.110).
The Sun and GNU keytools produce different keystores. I'll use the
Tomcat nomenclature to describe the differences. Obviously, I'm
looking for the correct "algorithm" (i.e., certificate signing
algorithm) setting:
Toolset keystoreType algorithm
------- ------------ ---------
Sun JKS SunX509
GNU GKR ???
The Tomcat that ships with CentOS 4.92 defaults to assuming
keystoreType="JKS" and algorithm="SunX509" so that in
/etc/tomcat5/server.xml the Connector tag will assume those values,
e.g.,
<Connector port="8443" maxHttpHeaderSize="8192" [....]
scheme="https" secure="true"
sslProtocol="TLS"
keystoreType="JKS" algorithm="SunX509" />
With those settings -- either implicitly (since they're the default)
or explicitly -- Tomcat fails to start an SSL listener. The
catalina.out log reports:
SEVERE: Exception trying to load keystore /path/to/keystore
java.security.KeyStoreException: JKS
If I set keystoreType="gkr", the error changes:
SEVERE: Error initializing endpoint
java.io.IOException: SunX509
I've taken some wild stabs at guessing the algorithm string
("X.509",
"X509", "GnuX509", "GNU-CRYPTOX509", and some
others), to no avail.
My keystore seems to be valid, since "keytool -list" run against it
produces the expected output.
My google-foo has failed me completely. Help, anyone?
--
Paul Heinlein <> heinlein at madboa.com <> www.madboa.com
