Bug 61445

Summary: Unable to start SSL using SunMSCAPI
Product: Tomcat 8 Reporter: Radek Němec <radek.nemec>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED DUPLICATE    
Severity: normal CC: radek.nemec
Priority: P2    
Version: 8.5.20   
Target Milestone: ----   
Hardware: PC   
OS: All   
Attachments: Catalina log with SSL problem

Description Radek Němec 2017-08-18 07:03:55 UTC 
Created attachment 35250 [details]
Catalina log with SSL problem

I have this Connector in server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
    <SSLHostConfig truststoreProvider="SunMSCAPI" truststoreType="Windows-Root" protocols="+TLSv1.2,+TLSv1.1,+TLSv1">
        <Certificate certificateKeystoreProvider="SunMSCAPI" certificateKeystoreFile="" certificateKeystoreType="Windows-MY" certificateKeyAlias="my-web-cz" type="RSA" />
    </SSLHostConfig>
</Connector>

Tomcat is running as a service under account "ServiceAccount". In Tomcat 8.5.14 the site is functioning normally and certificate from LocalMachine (Windows-Root) is accessed and used.
Setting certificateKeystoreFile="" is correct for SunMSCAPI, not an error, without it the "java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\Users\ServiceAccount/.keystore" occurs.

However after upgrading 8.5.14 to 8.5.20, this error appears in log (see attachment for full log):

...
17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
17-Aug-2017 16:41:46.633 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2k  26 Jan 2017]
17-Aug-2017 16:41:46.836 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
17-Aug-2017 16:41:47.398 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
 java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
...
Comment 1 Radek Němec 2017-08-18 07:11:06 UTC 
> In Tomcat 8.5.14 the site is functioning normally and certificate from
> LocalMachine (Windows-Root) is accessed and used.

I wanted to write CurrentUser (Windows-MY) instead of LocalMachine (Windows-Root).
Comment 2 Radek Němec 2017-08-28 21:41:43 UTC 
Seems to be duplicate of https://bz.apache.org/bugzilla/show_bug.cgi?id=61451. Can someone prove this?
Comment 3 Mark Thomas 2017-08-31 19:35:43 UTC 
Confirmed. This is a duplicate.

*** This bug has been marked as a duplicate of bug 61451 ***