TOMCAT SSL Error: Alias name does not identify a key entry

tomcat ssl keytool
udeleng picture udeleng · Jan 10, 2012 · Viewed 67.2k times · Source

I am trying to configure Tomcat 6 using SSL with a certificate provided to us (by someone). My SSL experience only spans a few days, but I still have to configure the darn thing.

I was provided a certificate (downloaded from IE) in DER format.

Next I created a keystore:

keytool -import -alias btIEgen -file MyCompany.der -keystore b2b.keystore

Say I used "password" for password

I configured this in Tomcat's server.xml in the SSL section:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="webapps/b2b.keystore" keystorePass="password" keyAlias="btIEgen" 
    clientAuth="false" sslProtocol="TLS" />

Upon starting Tomcat I get the darn error.

I then did a keytool -list on b2b.keystore, and noticed that the alias is in all lowercase, so after updating server.xml and restarting, I still get the same error, but for the lower case alias.

Then I though that perhaps I need a root CA. So I recreated the b2b.keystore as follows:

keytool -import -alias root -file myCA.cer -keystore b2b.keystore

Then I re-executed my keytool command against MyCompany.der

But I still get the same error, that the alias does not identify a key entry.

I am wondering if I am making some fundamental error in configuring tomcat, or should this thing be working and I'm just making a stupid careless mistake?

Any guidance would be greatly appreciated.

Answer

Bruno picture Bruno · Jan 10, 2012

What Tomcat needs is the certificate and its private key. The certificate is public information that any of your user can see, but the private key should be yours only: this is what prevents others from running a website with your certificate. By importing MyCompany.der, you're only importing the certificate.

You would need to find where you private key is first. (Normally, even the person who issued the certificate to you shouldn't know its private key.)

The private key may have been generated within your browser during the certificate application process. Try to see if you can export in .p12/.pfx (PKCS#12) format: this should bundle the private key too if it's there. If so, you should be able to use the resulting file as a keystore directly using the PKCS12 store type: keystoreFile="store.pfx" keystorePass="password" keystoreType="PKCS12" (you probably won't need a key alias, since there will only be one key entry).

Related questions

keytool error bash: keytool: command not found

I have tried to execute keytool from Java bin directory but I get an error with warning bash: keytool: command not found. root@xxxxxx]# keytool -genkey -alias mypassword -keyalg RSA bash: keytools: command not found

Read More
Tomcat Server/Client Self-Signed SSL Certificate

I have an Apache Tomcat 6.x server running with a self-signed SSL certificate. I want the client to present their own certificate to the server so I can authenticate them based on a database of users. I have it all …

Read More
Keytool keeps giving SHA256 sigalg instead of requested alg

I am using Keytool in java to generate a keystore/CSR to submit to a certificate Authority. My CA only supports MD5withRSA and SHA1withRSA Everytime I use keytool to create the keystore and export the CSR I am …

Read More