Bug 56021 - SSL connector using windows-my keystore
Summary: SSL connector using windows-my keystore
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 7.0.50
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2014-01-16 19:37 UTC by Asanka
Modified: 2019-08-28 19:10 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Asanka 2014-01-16 19:37:09 UTC
Was trying to configure SSL on tomcat 7 to use Windows-MY keystore (provider that wraps the MSCAPI to access certificates in the keystore of Windows cert manager) but didn't get to work. Tomcat startup fails to load the connector since it looks for a empty file for the keystore inside catalina_home directory.

But I got it working with a small code change in org.apache.tomcat.util.net.AbstractEndpoint.adjustRelativePath() method. When Windows-MY keystore is used there is no physical keystore file. To be able to pass in empty value for the keyStoreFile in the connector I added a check for not empty path before adjusting the path.

    public String adjustRelativePath(String path, String relativeTo) {
        String newPath = path;
        if (!"".equalsIgnoreCase(newPath)) { 
            File f = new File(newPath);
            if ( !f.isAbsolute()) {
                newPath = relativeTo + File.separator + newPath;
                f = new File(newPath);
            if (!f.exists()) {
                getLog().warn("configured file:["+newPath+"] does not exist.");
        return newPath;

java version "1.7.0_07"

To reproduce (on windows):
1. Install a cert to the windows cert manager (start run certmgr.msc).
2. Configure the SSL connector with cert alias ('issued to' column value of the cert in the cermgr)
   <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
3. Start tomcat

The fix has been tested on windows 7 and windows server 2012.
Comment 1 Mark Thomas 2014-01-19 20:02:24 UTC
Thanks for the report and the suggested fix.

I applied a slightly different patch that allowed some additional code clean-up.

The patch has been applied to 8.0.x for 8.0.0 onwards and to 7.0.x for 7.0.51 onwards.

Thanks again for your support of the Apache Tomcat community.
Comment 2 joakim_ganse 2014-12-17 13:56:03 UTC
Does this work now? and how do I set it up?

My current setup is on Windows 2012 R2 with Tomcat 7.0.55.
Tomcat is installed as a service.
I have verified that the certificate exists in the windows cert manager.

<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 

2014-12-17 14:45:14,306 [main] INFO  org.apache.coyote.http11.Http11Protocol- Initializing ProtocolHandler ["http-bio-8180"]
2014-12-17 14:45:14,322 [main] INFO  org.apache.coyote.http11.Http11NioProtocol- Initializing ProtocolHandler ["http-nio-443"]
2014-12-17 14:45:14,759 [main] ERROR org.apache.coyote.http11.Http11NioProtocol- Failed to initialize end point associated with ProtocolHandler ["http-nio-443"]
java.io.IOException: Alias name server.my.domain does not identify a key entry
Comment 3 Asanka 2014-12-18 11:33:03 UTC
1. Make sure you have the correct keyAlias, following openssl command should show alias as the common name (CN) - openssl pkcs12 -info -in filename.pfx
2. Certificate needs to be installed to the LocalMachine\My store if the tomcat service runs with log on as local system. The CurrentUser\My store is not accessible from other user accounts. You can use powershell to install and verify the cert in the LocalMachine\My store.
Comment 4 Martin Stenderup 2019-08-22 07:58:58 UTC
(In reply to joakim_ganse from comment #2)

Try by setting keystorePassword="" in your connector configuration (it defaults to "changeit" if not set).
This worked for me.

I had to step-debug through Tomcats code to figure it out.
Comment 5 Martin Stenderup 2019-08-27 07:01:47 UTC
(In reply to Martin Stenderup from comment #4)
It seems to be called "keystorePass" some versions of Tomcat 8.
Comment 6 Christopher Schultz 2019-08-28 19:10:47 UTC
(In reply to Martin Stenderup from comment #5)
> It seems to be called "keystorePass" some versions of Tomcat 8.

Yes, it's "keystorePass" in all currently supported versions of Tomcat. "keystorePassword" is not a valid configuration attribute for any version of Tomcat.