10

Trying to setup SSL in Tomcat 9 using JDK10 in Windows 10. When I follow an online tutorial to create a Java keystore using the default password of 'changeit' everything works fine and Tomcat starts with no errors. But if I create a keystore using a different keystore password other than 'changeit', tomcat throws this error:

Caused by: java.lang.IllegalArgumentException: keystore password was incorrect

This is the command to create a keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore c:\certificates\tomcatkeystore

This is the SSL connector that works.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="C:/certificates/tomcatkeystore" type="RSA" clientAuth="false" sslProtocol="TLS" keystorePass="changeit" /> </SSLHostConfig> </Connector>

SSL connector that does not work.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="C:/certificates/tomcatkeystore" type="RSA" clientAuth="false" sslProtocol="TLS" keystorePass="testing" /> </SSLHostConfig> </Connector>

Why if I follow the exactly the same steps as above but changing to a different keystore password and specifying this in the server.xml generate the above Tomcat error?

NOTE: one thing I noticed in both cases is that the keytool command never prompts me for the 'key password' like many online examples show. Is there a different keytool command I need when using other than the default 'changeit' password?

Thanks.

Improve this question
2
  • 1
    (1) if you use a different password consistently on creation and in the config it should work; does keytool -list -keystore $file with that password work? (2) until recently Java defaulted to JKS format which uses separate 'keystore' and 'key' passwords, but Java9 and 10 default to PKCS12 format which (as implemented) does not, so now you are not prompted for the 'key' password unless you specify -storetype JKS or JCEKS, or BKS using BC provider, and then you'll get a warning that you should upgrade to PKCS12(!) Commented Aug 4, 2018 at 0:36
  • Yeah -list works fine after creating the keystore. I also tried changing the keystore password but still same problem and -list just to make sure but still Tomcat throws same error. Commented Aug 5, 2018 at 17:58

1 Answer 1

Reset to default
13

OK I was able to solve this. My problem was that I was using the wrong connector attribute to specify the keystore password. On my example I was using "keystorepass" and correct one should be "certificateKeystorePassword". Maybe I missed it in the logs, but Tomcat didn't seem to be throwing an appropriate error like 'bad attribute for connector', which would have been useful.

Seems like Tomcat has different connectors, so have to use the correct ones:

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Thanks for sharing this. Such a simple thing but I was also stuck because of that. Honestly too much of variants of documentation lying around so its easy to misplace or confuse the attributes.
I got an error saying that the password for the file named '.keystore' was invalid. Clearly only an idiot like me would think that "keystorePass" was the correct XML attribute to use in specifying the password to a file by default named '.keystore'! Especially there is countless documentation for my version of Tomcat (9) saying this is exactly what it is for
A warning with content Match [<element>] failed to set property [<property>] to [<value>] is sent before the entries generated by the VersionLoggerListener, so it is easy to miss.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.