Bug 38217

Summary: mention that private key password and keystore password need to be the same (avoid "IOException: Cannot recover key")
Product: Tomcat 5 Reporter: Ralf Hauser <hauser>
Component: Connector:CoyoteAssignee: Tomcat Developers Mailing List <dev>
Status: CLOSED FIXED    
Severity: enhancement    
Priority: P2    
Version: 5.5.14   
Target Milestone: ---   
Hardware: Other   
OS: All   
URL: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Prepare the Certificate Keystore

Description Ralf Hauser 2006-01-10 20:01:37 UTC
As per org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystorePassword()
"keypass" and "keystorePass" are the same.

If e.g. with using http://sf.net/projects/portecle, some people are tempted to
set a different key on the private key.

Then, they get
<<Error initializing endpoint
java.io.IOException: Cannot recover key
 at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137)
 at org.apache.catalina.connector.Connector.initialize(Connector.java:1016)

It would be great if there were a cautionary note in the ssl-howto.html

see also http://www.ponton-consulting.de/en/faq/faq_advanced.html

I guess the test at the bottom of
http://marc.theaimsgroup.com/?l=tomcat-user&m=109363993616257&w=2 would succeed
despite what is claimed...
Comment 1 Yoav Shapira 2006-04-13 19:00:15 UTC
Good point, added cautionary note and reference to your comment above to the SSL
HowTo.  Thanks.
Comment 2 Ralf Hauser 2008-05-11 22:08:49 UTC
see also Bug 38774

Comment 3 jfclere 2011-01-12 07:16:13 UTC
Note that adding one key with a different passphrase will break the whole keystore for TC.