java.io.IOException:使用Tomcat服务器的无效密钥库格式 [英] java.io.IOException: Invalid keystore format using Tomcat server
问题描述
在Tomcat 7中启用ssl模式时,我的tomcat日志出现以下错误
On enabling ssl mode in Tomcat 7, I'm getting the following error on my tomcat logs
我已经使用如下所示的openssl生成了.key文件
I have genrated .key file using openssl like below
openssl genrsa -des3 -out localhost 2048
然后我在tomcat server.xml中给出了我的密钥文件的路径
And I given the path to my key file in tomcat server.xml
严重:无法初始化与ProtocolHandler相关的端点 ["http-bio-8443"] java.io.IOException:无效的密钥库格式
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-bio-8443"] java.io.IOException: Invalid keystore format
推荐答案
openssl genrsa -des3 -out localhost 2048生成私钥.使用HTTPS运行Web服务器所需的是私钥和证书.您需要一步来生成证书.
openssl genrsa -des3 -out localhost 2048 generates a private key. What you need to run a web server using HTTPS is a private key and a certificate. You'll need a step to generate a certificate.
根据是否使用APR连接器,您可以使用两种几乎完全不同的方法在Tomcat中配置HTTPS.
You can configure HTTPS in Tomcat using 2 almost completely different approaches, depending on whether you're using the APR connector or not.
如果您使用的是 APR连接器 ,因此使用OpenSSL生成密钥/证书是有意义的,因为它是期望的格式. (如果有足够的自签名证书,可以使用OpenSSL生成自签名证书的教程很多.)
If you're using the APR connector, it makes sense to use OpenSSL to generate the keys/certificate, since it's the format it expects. (There are a number of tutorials to generate self-signed certificates with OpenSSL, if a self-signed certificate is sufficient for your environment.)
如果您不使用APR ,必须将OpenSSL生成的密钥/证书转换为JRE支持的密钥库格式.来自OpenSSL,将您的私钥+证书转换为PKCS#12存储库(.p12)通常是最简单的:通过具有PKCS12密钥库类型的Oracle/OpenJDK直接支持此操作. (您可以将PKCS#12文件转换为JKS存储,但这不是必需的.)
If you're not using APR, you would have to convert the keys/cert generated with OpenSSL into a keystore format supported by your JRE. Coming from OpenSSL, converting your private key + certificate into a PKCS#12 store (.p12) is usually the easiest: this is supported directly via Oracle/OpenJDK with the PKCS12 keystore type. (You could convert your PKCS#12 file into a JKS store, but that's not necessary.)
但是,如果您还没有任何密钥/证书,则为Tomcat生成自签名证书的最简单方法是直接使用keytool.这将产生一个JKS密钥库,这是默认类型. keytool -genkey 不仅会生成密钥/密钥对,而且足以产生CSR,但它会关联一个自签名证书(如果需要的话,至少是暂时的,直到从CA导入证书为止).
However, if you don't have any keys/cert yet, the easiest way to generate a self-signed certificate for Tomcat is to use keytool directly. This will produce a JKS keystore, which is the default type. keytool -genkey not only generates a key/pair and enough to produce a CSR, but it associates a self-signed certificate (at least temporarily until you import the certificate coming from a CA if necessary).
这篇关于java.io.IOException:使用Tomcat服务器的无效密钥库格式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
