how to import new SSL cert into existing default keystore? [message #1244784] |
Wed, 12 February 2014 17:09  |
Eclipse User |
|
|
|
Im following the steps here:
http://www.eclipse.org/jetty/documentation/current/configuring-ssl.html
Im trying to add ssl cert into an existing jetty implementation that already has self-signed cert and working SSL connector/factory. I converted my key, cert, and intermediate cert into pkcs12 as per eclipse wiki, and imported that into existing keystore using the storepwd password, no errors so far, but upon starting my .jar it crashes with "java.lang.reflect.InvocationTargetException" caused by "Caused by: java.security.UnrecoverableKeyException: Cannot recover key"
the new key did seem to get put into that existing keystore:
# keytool -list -keystore ./keystore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
1, Feb 12, 2014, PrivateKeyEntry,
Certificate fingerprint (SHA1): 0B:50:A2:84:81:4A:9C:15:42:6C:19:30:13:98:1D:B2:53:B6:C4:B1
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.eclipse.jetty.start.Main.invokeMain(Main.java:297)
at org.eclipse.jetty.start.Main.start(Main.java:724)
at org.eclipse.jetty.start.Main.main(Main.java:103)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
at java.security.KeyStore.getKey(Unknown Source)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown Source)
at javax.net.ssl.KeyManagerFactory.init(Unknown Source)
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:904)
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:297)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:117)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:99)
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:64)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:117)
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:99)
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:259)
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:218)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at org.eclipse.jetty.server.Server.doStart(Server.java:336)
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:69)
at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1250)
at java.security.AccessController.doPrivileged(Native Method)
at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1174)
... 7 more
|
|
|
Re: how to import new SSL cert into existing default keystore? [message #1245410 is a reply to message #1244784] |
Thu, 13 February 2014 14:27  |
Eclipse User |
|
|
|
for anyone else with this issue, Ive found the problem. the examples from
https://wiki.eclipse.org/Jetty/Howto/Configure_SSL#Configuring_Jetty
have this
<Call name="addConnector">
<Arg>
<New class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<Arg>
<New class="org.eclipse.jetty.http.ssl.SslContextFactory">
<Set name="keyStore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
<Set name="keyStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
<Set name="keyManagerPassword">OBF:1u2u1wml1z7s1z7a1wnl1u2g</Set>
<Set name="trustStore"><SystemProperty name="jetty.home" default="." />/etc/keystore</Set>
<Set name="trustStorePassword">OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4</Set>
</New>
</Arg>
<Set name="port">8443</Set>
<Set name="maxIdleTime">30000</Set>
</New>
</Arg>
</Call>
and a keen eye will see that the keymanager password is different than the other 2. I just took out all keymanager/truststore stuff as then they inherit the config from keystore. now my cert works.
|
|
|
Powered by
FUDForum. Page generated in 0.12181 seconds