7

I am installing a SSL cert in my Tomcat server, but it fails to find the key entry in my keystore file.

If I don't specify keyAlias="mykey" it shows me the following error message:

javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.

As I saw on Tomcat Documentation http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Troubleshooting it tells me to specify the keyAlias.

However, when I do it, I get the following error message:

java.io.IOException: Alias name mykey does not identify a key entry

And if I keytool -list -keystore .keystore -v, I get three key entries, two from the cert company and the last one:

Alias name: mykey
Creation date: Dec 17, 2011
Entry type: trustedCertEntry

That is, the key entry is there, but Tomcat can't find it. The keystoreFile is corrected set to the keystore file.

What can it be?

João Daniel
  • 349
  • 3
  • 6
  • 10
  • Try perhaps to specify the absolute path to your keystore file in the `keystoreFile` connector attribute, if it's not already the case. – Bruno Dec 17 '11 at 17:21
  • I have tried both absolute and relative path already without success. – João Daniel Dec 18 '11 at 06:30
  • 1
    How did you import the key? It looks like `mykey` is just a certificate, not a certificate + private key, which is what you'd need. – Bruno Dec 18 '11 at 17:03
  • I followed the instructions from the company who sold the certificate. I received a zip file with three certificate files: a root file, a intermediate file and my domain certificate. Then I added those three certificates to the keystore file. I'll try those steps again. – João Daniel Dec 18 '11 at 18:53
  • 1
    @Bruno it seems you're right. `mykey` shouldn't be a `trustedCertEntry`. Thanks! – João Daniel Dec 18 '11 at 19:04
  • You should re-add it to the keystore with which you created the certificate request, since it will contain the matching private key. – Bruno Dec 18 '11 at 19:20
  • Hi @Joāo, can you please explain your solution i.e. how the private key will be added with trustedCertEntry and where that private key comes from? – Toseef Zafar Nov 30 '18 at 17:01

1 Answers1

4

For anyone else who stumbles upon this: The key (pun not intended) is to import your certificate using the same alias as the one you used to originally create they keystore (along with its private key) when you ran 'keytool -genkey-alias myalias ...' -- this is how Tomcat ties the private key with your new certificate when it is imported.

Basically, like other commenters said, in the end your own cert should NOT show as a "trustedCertEntry" in a 'keytool -list' -- it needs to be a "PrivateKeyEntry", see below example:

keytool -list -keystore sample.keystore

Your keystore contains 1 entry
example, Aug 28, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 12:E0:20:64:92:8A(...)

You can find out the original alias by running 'keytool -list', and looking for the PrivateKeyEntry entry. If all goes well when you import your new CA-provided cert (i.e., you use the same alias and your keys match), the new cert will be automagically absorbed into the PrivateKeyEntry. This is the alias you'll need to refer to in Tomcat's server.xml file.

Saul
  • 41
  • 3