Ssl – Tomcat fails to find a key entry in keystore

httpsssltomcat

I am installing a SSL cert in my Tomcat server, but it fails to find the key entry in my keystore file.

If I don't specify keyAlias="mykey" it shows me the following error message:

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

As I saw on Tomcat Documentation http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Troubleshooting it tells me to specify the keyAlias.

However, when I do it, I get the following error message:

java.io.IOException: Alias name mykey does not identify a key entry

And if I keytool -list -keystore .keystore -v, I get three key entries, two from the cert company and the last one:

Alias name: mykey
Creation date: Dec 17, 2011
Entry type: trustedCertEntry

That is, the key entry is there, but Tomcat can't find it. The keystoreFile is corrected set to the keystore file.

What can it be?

Best Answer

For anyone else who stumbles upon this: The key (pun not intended) is to import your certificate using the same alias as the one you used to originally create they keystore (along with its private key) when you ran 'keytool -genkey-alias myalias ...' -- this is how Tomcat ties the private key with your new certificate when it is imported.

Basically, like other commenters said, in the end your own cert should NOT show as a "trustedCertEntry" in a 'keytool -list' -- it needs to be a "PrivateKeyEntry", see below example:

keytool -list -keystore sample.keystore

Your keystore contains 1 entry
example, Aug 28, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 12:E0:20:64:92:8A(...)

You can find out the original alias by running 'keytool -list', and looking for the PrivateKeyEntry entry. If all goes well when you import your new CA-provided cert (i.e., you use the same alias and your keys match), the new cert will be automagically absorbed into the PrivateKeyEntry. This is the alias you'll need to refer to in Tomcat's server.xml file.

Related Solutions

Ssl – How to update SSL certificate with Tomcat 5.5

The fact that it's registering as a TrustedCert would seem to indicate that there's no key for tomcat3. It's likely that the new certificate was requested for the existing key tomcat2. Keys themselves don't expire, just the certificates.

You can request a new certificate at any time either by generating a new cert signing request or by reusing the original one either of which is fine. Take a backup copy of your keystore and then import the certificate for the tomcat2 alias.

%JAVA_HOME%\bin\keytool -import -keystore companyname.keystore -alias tomcat2 -file 2009cert.cer

After that, you'll also want to point your tomcat instance back at tomcat2.

Tomcat – Exporting Private Key

Believe it or not, this functionality is not supported in keytool. The best solution I have found so far is the software and instructions available for download on this Web site.

I usually generate the key using openssl and then use this method to import the key, as that is not supported by keytool either.

To generate a 2048 bit key:

openssl genrsa -out host.domain.com.key 2048

To create a keystore from this key:

KEY=host.domain.com
openssl pkcs8 -topk8 -nocrypt -in $KEY.key -inform PEM -out key.der -outform DER
openssl x509 -in $KEY.crt -inform PEM -out cert.der -outform DER
wget http://www.agentbob.info/agentbob/81/version/default/part/AttachmentData/data/ImportKey.class
java ImportKey key.der cert.der

Best Answer

Related Solutions

Ssl – How to update SSL certificate with Tomcat 5.5

Tomcat – Exporting Private Key

Related Topic