Tomcat 将 Windows 证书存储用于 SSL [英] Tomcat to use Windows Certificate Store for SSL
问题描述
我使用 Tomcat 9.0.10 并希望使用 Windows 证书存储来保存 SSL 私钥和证书.这里有另一个线程,似乎有回答,但我在启动 Tomcat 时出现异常.
I use Tomcat 9.0.10 and wish to use the Windows Certificate Store to hold the SSL private key and certificate. There's another thread here, that seems to have the answer, but I get an exception when starting Tomcat.
我的 server.xml 如下所示:
My server.xml looks like this:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
maxthreads="150"
scheme="https"
secure="true"
keyAlias="SERVER-TST-1.domain.local"
keystoreFile=""
keystoreType="Windows-ROOT"
clientAuth="false"
sslProtocol="TLS"
connectionTimeout="20000"
keepAliveTimeout="200000" />
这是个例外:
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Alias name [SERVER-TST-1.domain.local] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
Caused by: java.io.IOException: Alias name [SERVER-TST-1.domain.local] does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:229)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 19 more
该证书的私钥也在 Windows 证书存储中.我也将它们导入到本地机器和当前用户存储中.SSL 证书和整个链都在证书存储中.此外,证书中的 CN 是 SERVER-TST-1.domain.local如果我将 Tomcat 配置为使用我从中导入证书+私钥和链的 PFX 文件,则一切正常.我只想避免使用明文形式的密钥库密码,因此我想使用 Windows 证书库.
The certificate has the private key also in the Windows cert store. I have imported them into the Local Machine and into the Current User store, too. The SSL certificate and the entire chain is in the cert store. Also, the CN in the cert is SERVER-TST-1.domain.local If I configure Tomcat to use the PFX file that I imported the certificate+private key and the chain from, then all is working well. I just want to avoid having a keystore password in clear text, hence I would like to use the Windows cert store.
推荐答案
根据 使用 Java 在本机平台中利用安全性Windows-ROOT 密钥库包含机器信任的所有根 CA 证书.
According to Leveraging Security in the Native Platform Using Java The Windows-ROOT keystore contains all root CA certificates trusted by the machine.
您应该将 keystoreType 设置为 Windows-MY,其中包含用户的私钥和相关的证书链.
You should set keystoreType to Windows-MY which contains the user's private keys and the associated certificate chains.
此外,还有一个开放的 OpenJDK 错误,这是不可能的读取本地计算机证书.
Also, there is an open OpenJDK bug that it is not possible to read local computer certificates.
这篇关于Tomcat 将 Windows 证书存储用于 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
