Be Excellent To Each Other

Here's the scenario.

I've got a web server that is Apache embedded and Tomcat.

It has a keystore, which is in PKCS12 format. I've used keytool to get our corporate CA to issue a cert for the host. Now, that requires that I not only import the cert for the host, but that I also import the root CA cert as a trusted root.

The problem is, you can't (apparently) store trusted roots in a PKCS12 format keystore. And you can't import a cert without its CA being trusted.

So, question - is there any way to have an Apache/Tomcat web server look at two different keystores? One in PKCS12 format, and one in JKS format? Would that even work, having the host cert in a different keystore to the trusted root?

Any other suggestions?

Ta.

Shoot the Apache with a Stinger missile twice. The first will be taken off by flares, but you can normally hit with the second.

You're on my turf here (I write Tomcat software) but I rarely have to deal with keystores. I was under the impression, though, that JKS (Java Key Store) was the format of the overall keystore, whilst PKCS#12 was the format of the key, and that you should be able to put the one inside the other. What command are you using (keystore?) and what error message are you seeing?

Further research suggests I am incorrect.

Right, sack off the JKS store. Use the openssl command line tool to make a new cert signed from the existing root cert. Put that new cert into the same store as your root cert, all in PKSC12 format. Point Tomcat at that in the server.xml file.

keystore is part of the core Java tools and can only talk JKS. openssl can write the standard PKCS12 files, and Tomcat can read them.

More detailed instructions: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

No, JKS and PKCS12 are both keystore formats. Sanitised input:



Returns "keytool error: java.security.KeyStoreException: TrustedCertEntry not supported"

Googling suggests that this is down to PKCS12 stores not allowing trusted root certs.

You can't put a root cert in a PKCS12 store, that's the problem.

StackOverflow (http://stackoverflow.com/questions/2147 ... -key-store) suggests http://sourceforge.net/projects/portecle/ might help.

Hmm - don't think it will. I don't think that changes the fundamental fact that I can't put a trusted root in a PKCS12.

Is there any way to have Tomcat use two separate keystores?

Why not just have a JKS one?

Because the site itself is a 3rd party product that does internal stuff that uses that keystore.

I don't think there is. To aid your own googling, you're mostly asking if Java can have two keystores, by the way.

Yeah, I know. I really, really hate Java.