1

I have a the following files that where generated by Sectigo:

  1. XXX1.pem
  2. XXX1.key
  3. XXX1.csr
  4. XXX1.crt
  5. XXX1.ca

I am using Zulu JDK 11.0.8 and SpringBoot 2.2.0 on windows. What I am trying to do is to enable https in SpringBoot app.

This are the ssl properties in SpringBoot properties file:

server.ssl.key-store-type=JKS
server.ssl.key-store=XX1.jks
server.ssl.key-store-password=password
server.ssl.key-alias=tomcat

I generated a keystore using the following command:

keytool -import -alias tomcat -file XXX1.crt -keystore XX1.jks -storepass password

When running the app I am getting the following error message:

Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 17 common frames omitted
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 19 common frames omitted
Caused by: java.io.IOException: jsse.alias_no_key_entry
    at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 25 common frames omitted

Any idea what I did wrong ?

Thank you

angus
  • 3,210
  • 10
  • 41
  • 71

1 Answers1

2

TLDR: you need the privatekey

Although we often talk loosely about an SSL/TLS server having or using 'a certificate', in fact it needs not just a certificate but the associated private key (always) and any associated intermediate aka 'chain' CA cert(s) (usually, but can depend on the CA and/or clients). keytool -import is an alias for -importcert which imports only a certificate or chain; this either adds a cert/chain to a preexisting privateKeyEntry, or creates a trustedCertEntry. In your case your keystore did not already contain the privatekey, so keytool created a trustedCertEntry, which is why Tomcat complains that the configured alias is 'no_key_entry' -- i.e. it is a trustedCertEntry, which is inadequate, unusable, and wrong, not a privateKeyEntry as is needed and required.

Search for 'convert PEM to Java keystore' or 'convert PEM to JKS' (and possibly 'convert PEM to PKCS12' also) and you will find hundreds of Questions asked over the past decade, with about as many variations of the two real Answers:

  1. If you have or get OpenSSL, use openssl pkcs12 -export to combine the certificate, privatekey, and chain (CA) PEM-format files into a PKCS12-format file. Modern Java (since 2017) can always use PKCS12 directly as a keystore; older versions sometimes could do this but sometimes required you to convert the PKCS12 to JKS with keytool -importkeystore (not -import[cert]) and older Answers reflect that former requirement. If necessary you could move or copy the PEM-format files to another machine that is sufficently secure and has OpenSSL and then move or copy the PKCS12 back.

    OpenSSL comes standard on nearly all Linuxes and many other Unixes, but not Windows. You can get it for Windows from several sources of which I consider http://slproweb.com/products/Win32OpenSSL.html the best-maintained.

  2. Download and use KeyStore Explorer.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • Thank you very much for your detailed answer. Can you please elaborate a bit more regarding option 2. How to use the tool ? Thank you – angus Sep 02 '20 at 14:29
  • I also try to use OpenSSL but getting the following error message: pkcs12 -inkey XXX1.pem -in XXX1.crt -export -out XXX1.p12 unable to load private key 2852:error:0909006C:PEM routines:get_name:no start line:crypto\pem\pem_lib.c:745:Expecting: ANY PRIVATE KEY – angus Sep 02 '20 at 14:47
  • Look at the XXX1.pem file with any text editor or display tool: is it actually in PEM format [as described in wikipedia](https://en.wikipedia.org/wiki/Privacy-Enhanced_Mail) and if so what is the 'label' in the dashed BEGIN and END lines? Has this file been editted on Windows using what Windows calls Unicode format (which forces BOM even on UTF-8)? – dave_thompson_085 Sep 03 '20 at 03:15