英文:
How to resolve : jno_key_entry
问题
以下是翻译的内容:
我有一些由Sectigo生成的以下文件:
- XXX1.pem
- XXX1.key
- XXX1.csr
- XXX1.crt
- XXX1.ca
我在Windows上使用Zulu JDK 11.0.8和SpringBoot 2.2.0。我想要做的是在SpringBoot应用程序中启用HTTPS。
这是SpringBoot属性文件中的SSL属性:
server.ssl.key-store-type=JKS
server.ssl.key-store=XX1.jks
server.ssl.key-store-password=password
server.ssl.key-alias=tomcat
我使用以下命令生成了一个密钥库:
keytool -import -alias tomcat -file XXX1.crt -keystore XX1.jks -storepass password
运行应用程序时,我收到以下错误消息:
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
... 17 common frames omitted
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
... 19 common frames omitted
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
... 25 common frames omitted
你知道我做错了什么吗?
谢谢
英文:
I have a the following files that where generated by Sectigo:
- XXX1.pem
- XXX1.key
- XXX1.csr
- XXX1.crt
- XXX1.ca
I am using Zulu JDK 11.0.8 and SpringBoot 2.2.0 on windows. What I am trying to do is to enable https in SpringBoot app.
This are the ssl properties in SpringBoot properties file:
server.ssl.key-store-type=JKS
server.ssl.key-store=XX1.jks
server.ssl.key-store-password=password
server.ssl.key-alias=tomcat
I generated a keystore using the following command:
keytool -import -alias tomcat -file XXX1.crt -keystore XX1.jks -storepass password
When running the app I am getting the following error message:
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
... 17 common frames omitted
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
... 19 common frames omitted
Caused by: java.io.IOException: jsse.alias_no_key_entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
... 25 common frames omitted
Any idea what I did wrong ?
Thank you
答案1
得分: 2
TLDR: 你需要私钥
虽然我们经常随意地谈论一个SSL/TLS服务器是否拥有或使用“证书”,但实际上它不仅需要证书,还需要相关的私钥(始终如此),以及任何关联的中间CA证书(通常如此,但可能取决于CA和/或客户端)。keytool -import 是 -importcert 的别名,它仅导入证书或证书链;这要么将证书/链添加到一个 预先存在的 privateKeyEntry,要么创建一个 trustedCertEntry。在您的情况下,您的密钥库中尚未包含私钥,因此keytool创建了一个 trustedCertEntry,这就是为什么Tomcat抱怨配置的别名是“no_key_entry” -- 也就是说,它是一个 trustedCertEntry,是不足的、无法使用的和错误的,而不是所需的 privateKeyEntry。
搜索“将PEM转换为Java密钥库”或“将PEM转换为JKS”(可能还有“将PEM转换为PKCS12”)会发现过去十年里出现了数百个问题,涉及的两个真正答案大致相同:
-
如果您拥有或获取了OpenSSL,请使用
openssl pkcs12 -export将证书、私钥和链(CA)的PEM格式文件合并到PKCS12格式文件中。现代Java(自2017年以来)始终可以直接使用PKCS12作为密钥库;旧版本有时可以这样做,但有时需要您使用keytool -importkeystore(而不是-import[cert])将PKCS12转换为JKS,旧答案反映了这种先前的要求。必要时,您可以将PEM格式文件移动或复制到另一台足够安全且具有OpenSSL的机器上,然后再将PKCS12移动或复制回来。OpenSSL 几乎在所有Linux和许多其他Unix系统上都是标准配置,但在Windows上没有。您可以从多个来源获取适用于Windows的OpenSSL,我认为 http://slproweb.com/products/Win32OpenSSL.html 是维护最好的来源之一。
-
下载并使用 KeyStore Explorer。
英文:
TLDR: you need the privatekey
Although we often talk loosely about an SSL/TLS server having or using 'a certificate', in fact it needs not just a certificate but the associated private key (always) and any associated intermediate aka 'chain' CA cert(s) (usually, but can depend on the CA and/or clients). keytool -import is an alias for -importcert which imports only a certificate or chain; this either adds a cert/chain to a preexisting privateKeyEntry, or creates a trustedCertEntry. In your case your keystore did not already contain the privatekey, so keytool created a trustedCertEntry, which is why Tomcat complains that the configured alias is 'no_key_entry' -- i.e. it is a trustedCertEntry, which is inadequate, unusable, and wrong, not a privateKeyEntry as is needed and required.
Search for 'convert PEM to Java keystore' or 'convert PEM to JKS' (and possibly 'convert PEM to PKCS12' also) and you will find hundreds of Questions asked over the past decade, with about as many variations of the two real Answers:
-
If you have or get OpenSSL, use
openssl pkcs12 -exportto combine the certificate, privatekey, and chain (CA) PEM-format files into a PKCS12-format file. Modern Java (since 2017) can always use PKCS12 directly as a keystore; older versions sometimes could do this but sometimes required you to convert the PKCS12 to JKS withkeytool -importkeystore(not-import[cert]) and older Answers reflect that former requirement. If necessary you could move or copy the PEM-format files to another machine that is sufficently secure and has OpenSSL and then move or copy the PKCS12 back.OpenSSL comes standard on nearly all Linuxes and many other Unixes, but not Windows. You can get it for Windows from several sources of which I consider http://slproweb.com/products/Win32OpenSSL.html the best-maintained.
-
Download and use KeyStore Explorer.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论