[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: Re: PKCS#8 encryption algorithm unrecognized
From: Mark Thomas <markt () apache ! org>
Date: 2024-03-31 18:04:38
Message-ID: bdff4651-fec0-4f45-a6f7-a6bdb2b4ac60 () apache ! org
[Download RAW message or body]
On 25/03/2024 16:56, Timothy Resh wrote:
> Sorry for the delay. Our certificate creation process was automated
> several years ago and I had to go through the code to figure out the
> commands being used for the certificates
>
> First, we use the createcert.exe from the Sybase 17 installation to
I don't have access to that application so I am unable to follow the
provided instructions.
Given you do have access to the application, it will likely be simpler
if you provide a test key and certificate that don't work that we can
use for investigation.
If you want to provide those offline, feel free to email the pem files
to me directly.
Mark
> generate a DB cert for ODBC connectivity. Please see the following link
> for more information.
> https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
>
> -t encryption type
> -b length
> -ca "1" Create Certificate Authority
> -u 3,4,5,6
>
> - 3. Key Encipherment
> - 4. Data Encipherment
> - 5. Key Agreement
> - 6. Certificate Signing
>
> -v 6 years
> -co Public Certificate
> -x Generates a self-signed certificate
>
> *C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
> -t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
> Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
> Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co
> "C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
> Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
> <http://WSD-2DNX4M3.mydomain.com>" -sl "Norfolk" -so "Vessel Ships" -sou
> "Engineering" -sst "VA" -u 3,4,5,6 -v "6"*
>
>
>
>
>
>
>
>
>
> *SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The
> certificate will not be compatible with older versionsof the software
> including version 12.0.1 prior to build 3994 and version 16.0prior to build
> 1691. Use the -3des switch if you require compatibility.Generating key
> pair...Certificate will be a self-signed rootSerial number [generate GUID]:
> Generated serial number: 42455c10a27d441db3e3d09f39f35452*
>
>
> This creates a ASA12 SAMM Vessel.pub that is then copied to the Tomcat
> Application Server as "Client Configuration.pem"
>
> our next commands are all openssl or keytool
>
> openssl.exe genrsa -aes256 -passout pass:"changeit" -out
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
> 1>nul 2>&1
> openssl.exe req -new -key "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
> WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out
> "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
> pass:"changeit" 1>nul 2>&1
>
> echo basicConstraints = CA:FALSE 1>"C:\tmp12\openssl\v3.ext"
> echo keyUsage = digitalSignature, keyEncipherment
> 1>>"C:\tmp12\openssl\v3.ext"
> ECHO [SAN] 1>>"C:\tmp12\openssl\v3.ext"
> ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
> 1>>"C:\tmp12\openssl\v3.ext"
>
> openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
> "C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
> "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
> pass:"changeit" -days "2190" -extensions SAN
> Certificate request self-signature ok
> subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
> U.S.Government, C = US
>
> COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
> "C:\tmp12\Certificates\CA\" 1>nul 2>&1
>
> openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
> Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
> "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
> WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit"
>
> keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
> "changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
> -srckeystore "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
> "changeit" -alias WSD-2DNX4M3.mydomain.com
> Importing keystore C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.p12 to
> C:\tmp12\Certificate\Keystore\Vessel.jks...
> DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"
>
> openssl.exe rsa -in "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
> openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
> Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
> pass:"changeit"
> openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
> "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
> pass:"changeit" -passout pass:"changeit"
>
> DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.2"
> DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3"
>
> keytool.exe -importkeystore -srckeystore
> "C:\tmp12\Certificate\Keystore\Vessel.jks" -destkeystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -srcstoretype JKS -deststoretype
> PKCS12 -srcstorepass "changeit" -deststorepass "changeit" -noprompt
> keytool.exe -delete -alias "ASA12 SAMM Vessel Temporary CA" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
> keytool.exe -delete -alias "ASA12 SAMM Vessel" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
> keytool.exe -delete -alias "WSD-2DNX4M3.mydomain.com" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
> keytool.exe -import -alias "ASA12 SAMM Vessel" -file "C:\tmp12\Client
> Configuration.pem" -keystore "C:\tmp12\Certificate\Keystore\Vessel.p12"
> -storepass "changeit" -noprompt
> keytool.exe -import -trustcacerts -alias "ASA12 SAMM Vessel Temporary CA"
> -file "C:\tmp12\Client Configuration.pem" -keystore
> "C:\tmp12\Certificate\Keystore\Vessel.p12" -storepass "changeit" -noprompt
>
>
> if you need anything else please get in touch with me.
> I have tested this with the Tomcat 87 release and it still does not work.
>
> Thanks
>
> Mark Resh
>
>
>
>
> On Tue, Mar 19, 2024 at 4:15 PM Mark Thomas <markt@apache.org> wrote:
>
> > On 19/03/2024 18:18, Timothy Resh wrote:
> > > <Conneector ........
> > > SSLProtocol="TLSv1.2"
> > > SSLCipherSuite="-ALL
> > >
> > ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POL \
> > Y1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-G \
> > CM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
> >
> > >
> > > SSLPassword="${KSENC(6qkaMErQ==;
> > C:\Certificate\Keystore\Vessel.p12)}"
> > > SSLCertificateChainFile="C:Certificate\Public Key\WSD-2DNX4M3.......cer"
> > > SSLCertificateFile="C:\Certificate\Public Key\WSD-2DNX4M3.......cer"
> > > SSLCertificateKeyFile="C:\Certificate\Private Key\WSD-2DNX4M3......key"
> > > SSLVerifyClient="optional"
> > > SSLCACertificateFile="C:\Certificates\CA\intermediate.ca"
> > > SSLCACertificatePath="C:\Certificates\CA\"
> > > >
> > >
> > > where the ..... is the fqdn
> > >
> > > This works fine *until* Tomcat 9.0.83 and now we get the following listed
> > > below. I have read some of the
> > > https://bz-he-de.apache.org/bugzilla/show_bug.cgi?id=67675 bugs and ask
> > for
> > > help.
> > > The certificates are being created using openssl 3.013. Please note the
> > > encrypted password to the p12 keystore. There was a message saying this
> > > was going to be fixed in a January release.
> > > I just tested 9.0.87 and the error is the same. The ASN.1 is OBJECT
> > > IDENTIFIER=Sha256WithRSAEncryption (1.2.840.113549.1.1.11)
> > >
> > > Does anyone have some suggestions for a fix?
> >
> > Please provide a set of OpenSSL commands that create a problematic,
> > self-signed certificate for localhost. This will save us a *lot* of time.
> >
> > Mark
> >
> >
> > >
> > > Thanks Mark Resh
> > >
> > >
> > > 15-Mar-2024 18:27:37.621 WARNING [main]
> > > org.apache.tomcat.util.net.SSLUtilBase.getEnabled Tomcat interprets the
> > > [ciphers] attribute in a manner consistent with the latest OpenSSL
> > > development branch. Some of the specified [ciphers] are not supported by
> > > the configured SSL engine for this connector (which may use JSSE or an
> > > older OpenSSL version) and have been skipped:
> > > [[TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,
> > > TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256]]
> > > 15-Mar-2024 18:27:37.636 SEVERE [main]
> > > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> > > initialize component [Connector["https-openssl-apr-192.168.56.1-8443"]]
> > > org.apache.catalina.LifecycleException: Protocol handler initialization
> > > failed
> > > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1011)
> > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> > > at
> > >
> > org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
> > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> > > at
> > >
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039)
> > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > > at
> > >
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > > at
> > >
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >
> > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> > > Caused by: java.lang.IllegalArgumentException: The PKCS#8 encryption
> > > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> > recognised
> > > at
> > > org.apache.tomcat.util.net
> > .AprEndpoint.createSSLContext(AprEndpoint.java:467)
> > > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:433)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1332)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractEndpoint.init(AbstractEndpoint.java:1345)
> > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
> > > at
> > >
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
> >
> > > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
> > > ... 13 more
> > > Caused by: java.security.NoSuchAlgorithmException: The PKCS#8 encryption
> > > algorithm with DER encoded OID of [2a864886f70d010c0103] was not
> > recognised
> > > at
> > > org.apache.tomcat.util.net
> > .jsse.PEMFile$Part.toPrivateKey(PEMFile.java:379)
> > > at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:213)
> > > at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:141)
> > > at
> > > org.apache.tomcat.util.net
> > .SSLUtilBase.getKeyManagers(SSLUtilBase.java:355)
> > > at
> > > org.apache.tomcat.util.net
> > .openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:108)
> > > at
> > > org.apache.tomcat.util.net
> > .SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
> > > at
> > > org.apache.tomcat.util.net
> > .AprEndpoint.createSSLContext(AprEndpoint.java:465)
> > > ... 19 more
> > > 15-Mar-2024 18:27:37.636 INFO [main]
> > > org.apache.catalina.startup.Catalina.load Server initialization in [1655]
> > > milliseconds
> > >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic