4

I have a .crt file to update the server thats running Tomcat 5.5. If I run:

keytool - import -alias tomcat -keystore tomcat.ks - trustcacerts -file website.net.crt

I get the following error:

keytool error: gnu.javax.crypto.keyring.MalformedKeyringException: incorrect magic

BTW, the default password for the keystore file is changeit and I am not sure why its not accepting it

mgorven
  • 30,615
  • 7
  • 79
  • 122
  • Check out: http://serverfault.com/questions/144831/setting-up-ssl-on-glassfish-v2-or-v3/144837#144837 – Warner Jul 19 '10 at 18:37

5 Answers5

3

We had the same issue with our ssl.com certificate, but the support guys there were very helpful and told us basically there were multiple versions of java on our server and that we needed to explicitly invoke the keytool app from the version we are working with to avoid conflicts. For example, on our server:

instead of

keytool - import -alias tomcat -keystore tomcat.ks - trustcacerts -file website.net.crt

we would use

/usr/local/jdk/keytool - import -alias tomcat -keystore tomcat.ks - trustcacerts -file website.net.crt
Colt Blake
  • 81
  • 1
  • 3
0

I think it's saying that your keystore is messed up. Can you do anything with the keystore to see if it's bad?

Bill Weiss
  • 10,979
  • 3
  • 38
  • 66
  • I tried importing the root certificate and new certificate to a new local keystore by running: keytool -import -alias root -keystore tomcat.ks -trustcacerts -file gd_intermediate.crt and keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file website.net.crt I shutdown and startup the tomcat server and the site to https:// can't be displayed. so I have to restore to the old keystore file to get it up and running again but it needs to renewed for SSL. Please advise –  Jul 19 '10 at 18:31
  • The logs say SEVERE: Catalina.start: LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Invalid keystore format at org.apache.catalina.connector.Connector.start(Connector.java:1097) –  Jul 19 '10 at 18:36
0

Your keystore needs to have more than just your own certificate info; it also needs to have the certs chaining back to your Certificate Authority (CA). For mine, I end up with four entries in my keystore, only one of which is specific to me. I just did this for my GoDaddy certificate; these are the commands I entered:

>keytool -import -alias root -keystore tomcat.sat.keystore -tr ustcacerts -file valicert_class2_root.crt 

Enter keystore password: PASSWORD 

Certificate already exists in system-wide CA keystore under alias <valicertclass2ca> Do you still want to add it to your own keystore? [no]: yes 

Certificate was added to keystore 

>keytool -import -alias cross -keystore tomcat.sat.keystore -trustcacerts -file gd_cross_intermediate.crt 

Enter keystore password: PASSWORD 

Certificate was added to keystore 

>keytool -import -alias intermed -keystore tomcat.sat.keystore -trustcacerts -file gd_intermediate.crt 

Enter keystore password: PASSWORD 

Certificate was added to keystore  

>keytool -import -alias tomcat -keystore tomcat.sat.keystore -trustcacerts -file loxpress.com.crt 

Enter keystore password: PASSWORD

Certificate reply was installed in keystore
ep4169
  • 157
  • 2
  • 4
  • 9
0

You might want to get your keystore in order first. Keytool can be painful to use.

Check out http://portecle.sourceforge.net/ and see if that helps.

Brennan
  • 1,398
  • 6
  • 18
0

I think you're running the wrong keytool. The on that comes with the JDK doesn't use that class. Do you have GNU CLASSPATH installed? if so, remove it. It isn't Java, just a poor and very partial imitation. And then repeat everything, using the original keystore. Anything that was created by the wrong keytool should be thrown away.

user207421
  • 1,010
  • 6
  • 16