Tomcat 8: Invalid keystore format

Question

I try to configure SSL into my new project. I do it for the first time and i got some problems.

Some items to the projects:

A part of my server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
            maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
            keystoreFile="/PATHTO/src/main/resources/keystore.p12"
            keystorePass="STOREPASS" clientAuth="false" sslProtocol="TLS" />

A part of my application.properties:

spring.profiles.active=https
server.port=8443
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=STOREPASS
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat

The command that i use to generate the keystore:

keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650

And the keystore.p12 is in the same folder like the application.properties.

The error of the console:

java.io.IOException: Invalid keystore format
    at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
    at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:437)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:336)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:594)
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:534)
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:732)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
    at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:497)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)

Has someone any ideas?

Thanks. Cheers.

Answer 1

You need to specify keyStoreType, as the format is PKCS12, not JKS.

Answer 2

To elaborate on EJP's answer and detail to Mick Mnemonic that this is not entirely correct.

OP did not set that in the server.xml rather the application.properties

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
        keystoreFile="/PATHTO/src/main/resources/keystore.p12"
        keystorePass="STOREPASS" clientAuth="false" sslProtocol="TLS"
        keystoreType="PKCS12" />

You will note that on the last line of the "Connector" element I have added keystoreType="PKCS12" to allow the connector to correctly load the file.

Your stack trace is a dead give away on this one.