java - TLS with self-signed cert with tomcat server - could not load PEM client certificate -

i want use tls rest api i'm planning create self-signed cert , provide public key clients of restapi.

my restapi deployed on tomcat catalina container (tomcat version 8.0.42).

and test steps below,

server side

1) created self signed cert using openssl

openssl genrsa -out restapi.key 2048                                                                     openssl req -new -key restapi.key -out restapi.csr                                                       openssl x509 -req -days 24855 -in restapi.csr -signkey restapi.key -out restapi.cert  

2) created pkcs#12 bundle

openssl pkcs12 -export -in restapi.cert -inkey restapi.key -out restapi.p12 -name restapi 

3) configured tomcat have tls enabled (with keystoretype "pkcs12"), , started tomcat

<connector port="8443" protocol="org.apache.coyote.http11.http11nioprotocol"                                maxthreads="150"          sslenabled="true"          scheme="https"          secure="true"                                     keystorefile="/users/prayagupd/restapi.p12"          keystoretype="pkcs12"         keystorepass="prayagupd"                                   clientauth="true"          sslprotocol="tls" />  

client side

4) sent https request

i have same pkcs#12 file client. i saw openssl x509 -pubkey -noout -in restapi.cert > pubkey.pem not sure if 1 need.

this .p12 permission like

21765315 -rw-r--r--  1 prayagupd  nord\domain users  2596 aug 24 01:34 restapi.p12 

when send https request fails following error (with curl 7.55.1)

curl -v --cert restapi.p12 https://localhost:8443/restapi/health *   trying ::1... * tcp_nodelay set * connected localhost (::1) port 8443 (#0) * alpn, offering http/1.1 * not load pem client certificate, openssl error error:0906d06c:pem routines:pem_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?) * closing connection 0 curl: (58) not load pem client certificate, openssl error error:0906d06c:pem routines:pem_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?)  $ curl --cert restapi.p12:restapi https://localhost:8443/restapi/health curl: (58) not load pem client certificate, openssl error error:0906d06c:pem routines:pem_read_bio:no start line, (no key found, wrong pass phrase, or wrong file format?) 

its working if bypass tls,

$ curl --insecure https://localhost:8443/restapi/health {"id":3,"eventid":"config_sucks","status":"sky green"} 

openssl s_client throws ssl handshake failure,

$ openssl s_client -connect localhost:8443 -showcerts connected(00000003) 59281:error:140790e5:ssl routines:ssl23_write:ssl handshake failure:/buildroot/library/caches/com.apple.xbs/sources/openssl098/openssl098-59.60.1/src/ssl/s23_lib.c:185: 

note

i found resource - mutual authentication tomcat 7 explains establishing tls communication. having same issue could not load pem client certificate. here's code - tlsv1.2

keytool -import -alias root -keystore restapi.jks -trustcacerts -file -trustcacerts -file restapi.cert 

the problem here. accomplished importing signed certificate. need import private key well. should have used nothing keytool here:

keytool -genkey ... keytool -selfcert 

using same alias throughout. can throw away existing keystore, of no use man or beast.

this documented. see jsse reference guide.

you have done openssl well, have needed end pkcs#12 keystore file, can use directly in java. no reason unless you're dealing openssl-based system, such apache httpd, mysql, openldap, etc.

wiki