Bug 50925 - Key password no longer has to be same as keystore password
Summary: Key password no longer has to be same as keystore password
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Documentation (show other bugs)
Version: trunk
Hardware: PC Windows XP
: P2 minor (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-03-13 21:21 UTC by Sebb
Modified: 2011-03-15 19:01 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebb 2011-03-13 21:21:14 UTC 
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration

says:

"You MUST use the same password here as was used for the keystore password itself. This is a restriction of the Tomcat implementation."

However, surely Tomcat 7 now supports the "keyPass" attribute?
Comment 1 Sebb 2011-03-13 21:23:45 UTC 
Does the following paragraph still apply to Tomcat 7?

"Note: your private key password and keystore password should be the same. If they differ, you will get an error along the lines of java.io.IOException: Cannot recover key, as documented in Bugzilla issue 38217, which contains further references for this issue."
Comment 2 Sebb 2011-03-13 22:21:09 UTC 
I cannot get the keyPass attribute to work, so perhaps it is the other way round - the reference to the keyPass attribute should be removed.
Comment 3 Sebb 2011-03-14 10:19:02 UTC 
See also Bug 50928.

The attribute "keyPass" is used, but *only* as a default for "keyStorePass".

The documentation in

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

says:

keyPass	: The password used to access the server certificate from the specified keystore file. The default value is "changeit".

which is not currently true, so the caveats in SSL Howto do still apply for now.
Comment 4 Mark Thomas 2011-03-15 19:01:06 UTC 
Fixed in 7.0.x and will be in 7.0.12 onwards.