17

Wondering if someone can enlighten me on where im screwing this up! I have a keytool created keystore, a primary, secondary and ssl cert from Thawte. I originally created the CSR with openssl then using the process documented converted the private key to PKCS12 to import into the keystore.

I believe i have imported them all in to the keystore ok (but obviously not!) but the error i'm getting from Tomcat is: 'java.io.IOException Alias name does not identify a key entry

If i do akeytool -list -keystore keystore.ks this is what i get:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

    secondary, Jun 22, 2012, trustedCertEntry,
    Certificate fingerprint (MD5): EB:A3:71:66:38:5E:3E:F4:24:64:ED:97:52:E9:9F:1B
    tomcat, Jun 22, 2012, trustedCertEntry,
    Certificate fingerprint (MD5): EA:D0:43:F8:7F:D5:1C:4A:BA:A7:F4:64:A9:6A:A1:B0
    primary, Jun 22, 2012, trustedCertEntry,
    Certificate fingerprint (MD5): D6:6A:92:1C:83:BF:A2:AE:6F:99:5B:44:E7:C2:AB:2A
    1, Jul 2, 2012, PrivateKeyEntry,
    Certificate fingerprint (MD5): EA:D0:43:F8:7F:D5:1C:4A:BA:A7:F4:64:A9:6A:A1:B0

I'm pretty sure my Tomcat server.xml is ok but here it is too for the https connector:

<Connector port="443"
    protocol="org.apache.coyote.http11.Http11Protocol"
    maxHttpHeaderSize="8192"
    SSLEnabled="true"
    maxThreads="150"
    minSpareThreads="25"
    maxSpareThreads="75"
    enableLookups="false"
    disableUploadTimeout="true"
    acceptCount="100"
    scheme="https"
    secure="true"
    clientAuth="false"
    sslProtocol="TLS"
    URIEncoding="UTF-8"
    keystorePass="xxxxxx"
    keystoreFile="/keys/keystore.ks"
    keyAlias="tomcat"/>

Any ideas? This is the first time i've done this so maybe ive messed up something blindingly obvious?

THe site works fine on port 80.

Would LOVE to hear some suggestions :)

Adam
  • 5,215
  • 5
  • 51
  • 90
G33kGrl
  • 173
  • 1
  • 1
  • 5

2 Answers2

21

When you list alias with keytool, the alias name is what's before the comma for each entry. Here, you have 4 entries: secondary, tomcat, primary and 1. Only alias 1 is for a private key.

(Note that you can use a PKCS#12 file directly using keystoreType="PKCS12" instead.)

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Ahh ok i see what you mean. This is my first time doing SSL, you cannot have duplicate alias' in the keystore, so if 'tomcat' is the ssl cert provided by Thawte, what am i meant to name the private key that goes with it? And which one is the server.xml meant to point to? THanks for your help, i have been pulling my hair out over this. – G33kGrl Jul 04 '12 at 06:03
  • Slight progress - set server.xml to use alias 1 (the private key) and now at least the connector opens that port correctly. However im getting a certificate error "the certificate is not trusted because no issuer chain was provided " ... the plot thickens... – G33kGrl Jul 04 '12 at 06:23
  • 2
    When you import a certificate, you should import it against the private key alias (that's already in the keystore), as described [here](http://stackoverflow.com/a/9300727/372643). This being said, it seems you already have a PKCS#12 file built with that cert, so you should be able to use it directly. It seems that you might not have built the PKCS#12 file together correctly (did you use the private key you use for the request?). Which instructions did you follow? – Bruno Jul 04 '12 at 10:14
  • 2
    OMG Bruno, i owe you a kidney or my first born or something! THANK YOU! I followed the instructions in your link and it's working. You're AWESOME!!!! – G33kGrl Jul 05 '12 at 05:31
  • Short and clean solution! Thanks Bruno – Rajesh Gheware May 10 '17 at 18:55
-1

I found this page particularly useful.. My situation was from a geotrust cert delivered by domain.com where I only had two files: a text based cert (x509) and a text based private key. These instructions and the converter class file worked like a charm.

Reece
  • 641
  • 7
  • 18