我使用Tomcat 9.0.10,希望使用Windows证书存储区来保存SSL私钥和证书。有another thread here,似乎有答案,但是启动Tomcat时出现异常。
我的server.xml看起来像这样:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxthreads="150"
scheme="https"
secure="true"
keyAlias="SERVER-TST-1.domain.local"
keystoreFile=""
keystoreType="Windows-ROOT"
clientAuth="false"
sslProtocol="TLS"
connectionTimeout="20000"
keepAliveTimeout="200000" />
这是例外:
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Alias name [SERVER-TST-1.domain.local] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
Caused by: java.io.IOException: Alias name [SERVER-TST-1.domain.local] does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 19 more
该证书在Windows证书存储区中也具有私钥。我也将它们导入了本地计算机和当前用户存储中。 SSL证书和整个链都在证书存储区中。另外,证书中的CN为SERVER-TST-1.domain.local 如果我将Tomcat配置为使用我导入了证书+私钥和链的PFX文件,则一切工作正常。我只想避免使用明文形式的密钥库密码,因此我想使用Windows证书库。
答案 0 :(得分:0)
根据Leveraging Security in the Native Platform Using Java Windows-ROOT 密钥库包含计算机信任的所有根CA证书。
您应将keystoreType设置为 Windows-MY ,其中包含用户的私钥和关联的证书链。
此外,还有一个开放的OpenJDK bug,表明无法读取本地计算机证书。