0

I developed an application and I uploaded to my domain. The host provides me a wildcard certificate to use, so I tried to add it into my application. I don't know if I am doing the right steps or what.

So, this is what I did:

  • I downloaded the certificate (last.cer)
  • I created a keystore from that certificate:

enter image description here

  • That created last.p12, which I put into resources/keystore/

This is my configuration:

enter image description here

The key-password is the one I put in the host provider in order to download the certificate.

I also added the ServletWebServerFactory.

When I start up the application, I get this:

Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1038) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.31.jar:9.0.31]
    ... 17 common frames omitted
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry

But the alias is "carlos" in both places.

Carlos López Marí
  • 1,432
  • 3
  • 18
  • 45

1 Answers1

2

You need the private key. (but not a biscuit :)

Mostly dupe How to resolve : jno_key_entry and How to resolve : java.io.IOException: jsse.alias_no_key_entry except you don't admit to having the privatekey.

If the host 'provides' the cert in response to your request -- especially if you created the Certificate Signing Request (CSR) -- then you must have the privatekey; use it. If the 'host', or possibly the CA, or somebody else created this identity for you, get the privatekey from them. Depending on the form you have or get, the method to use it may vary some.

Also, writing/modifying files under Program Files (x86) on Windows is a bad idea. These changes may fail outright or disappear. Microsoft has officially stated since the 1990s that files in the %PROGRAMFILES*% directory(ies) should not be modified and data should go under (the places now known as) %PROGRAMDATA% %USERPROFILE% or %ALLUSERSPROFILE% as applicable. Viruses and malware often work by illegitimately modifying %PROGRAMFILES*%, so recentish versions of Windows -- at least 8 and 10 and the Server versions, I don't recall about 7 for sure -- as well as antivirus and other security products have gotten more aggressive about prohibiting or discarding attempts to change these files. Since you actually want this file elsewhere anyway -- in your server application directory (or jar? you're not clear) -- just write it there to start with.

dave_thompson_085
  • 34,712
  • 6
  • 50
  • 70
  • Ok, I just tried that but I have the same problem... https://stackoverflow.com/questions/63826472/key-missing-on-keystore-even-if-created-it-using-inkey – Carlos López Marí Sep 10 '20 at 09:12
  • 1
    You've deleted the other question, but the key icon in the K column means the P12 DOES contain a key (_and_ cert, combined into one entry, which is how Java treats it). Yes `openssl pkcs12 -export` sets the 'friendlyname', which becomes the alias in Java, to `1` by default; to change it use `-name whatever` on the export, or rename it in Java with `keytool -changealias`, or I'm pretty sure you can do this in KeystoreExplorer. – dave_thompson_085 Sep 11 '20 at 06:28
  • :085 you are so right, that was the problem! I notices that alias detail and closed the question. – Carlos López Marí Sep 11 '20 at 09:07