36

I am trying to configure Tomcat 6 using SSL with a certificate provided to us (by someone). My SSL experience only spans a few days, but I still have to configure the darn thing.

I was provided a certificate (downloaded from IE) in DER format.

Next I created a keystore:

keytool -import -alias btIEgen -file MyCompany.der -keystore b2b.keystore

Say I used "password" for password

I configured this in Tomcat's server.xml in the SSL section:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
    maxThreads="150" scheme="https" secure="true"
    keystoreFile="webapps/b2b.keystore" keystorePass="password" keyAlias="btIEgen" 
    clientAuth="false" sslProtocol="TLS" />

Upon starting Tomcat I get the darn error.

I then did a keytool -list on b2b.keystore, and noticed that the alias is in all lowercase, so after updating server.xml and restarting, I still get the same error, but for the lower case alias.

Then I though that perhaps I need a root CA. So I recreated the b2b.keystore as follows:

keytool -import -alias root -file myCA.cer -keystore b2b.keystore

Then I re-executed my keytool command against MyCompany.der

But I still get the same error, that the alias does not identify a key entry.

I am wondering if I am making some fundamental error in configuring tomcat, or should this thing be working and I'm just making a stupid careless mistake?

Any guidance would be greatly appreciated.

Donal Fellows
  • 133,037
  • 18
  • 149
  • 215
udeleng
  • 866
  • 2
  • 14
  • 20

3 Answers3

49

What Tomcat needs is the certificate and its private key. The certificate is public information that any of your user can see, but the private key should be yours only: this is what prevents others from running a website with your certificate. By importing MyCompany.der, you're only importing the certificate.

You would need to find where you private key is first. (Normally, even the person who issued the certificate to you shouldn't know its private key.)

The private key may have been generated within your browser during the certificate application process. Try to see if you can export in .p12/.pfx (PKCS#12) format: this should bundle the private key too if it's there. If so, you should be able to use the resulting file as a keystore directly using the PKCS12 store type: keystoreFile="store.pfx" keystorePass="password" keystoreType="PKCS12" (you probably won't need a key alias, since there will only be one key entry).

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Worked like a charm! I copied the certificate into the TOMCAT_HOME directory and modified server.xml as follows: – udeleng Jan 10 '12 at 12:40
  • 2
    Thanks man, had the same problem. The .pfx certificate changed it all :-) – Tony Aug 28 '12 at 15:15
  • 5
    Removing the keyAlias line was the solution for me. The person in charge of our certs did not specify an alias for the key-cert pair as was done in the past. – Banjer Apr 01 '13 at 16:26
  • 3
    Many sites are introducing the approach of importing .cer files into site keystore, in this case, where is the private key stored? Isn't that already in the site keystore file when you created .csr for the first time? – Kevin Nov 19 '13 at 03:41
  • Saved my bacon! Thankyou :) – simon Jul 01 '16 at 11:53
  • 3
    I have to add keyAlias="1" to make tomcat ignore it. Or it will keep looking for the alias named "tomcat". – Kimi Chiu Aug 05 '16 at 04:44
  • 1
    This can also be because certificate was imported into the keystore as a trusted certificate (trustedcertificate) and not as a reply to certificate request. In this case tomcat will generate such error as well. If cert can't be imported as a reply to CSR, then maybe it is caused by not importing intermediate and root certs before (keytool can't validate certificate authenticity)> Import intermediate and root certs before then import proper cert as a reply to csr. – Jarek Jóźwik May 28 '18 at 14:29
  • I have a slightly different question. How can I add a pfx to an existing jks keystore? When I do it like this: keytool -importkeystore -srckeystore mypfxfile.pfx -srcstoretype pkcs12 -destkeystore clientcert.jks -deststoretype JKS it doesn't work because the certificate then has a different password than the keystore. Somehow (how?) the password needs to be removed but I'm not sure what's the best practice and what's safe in such a scenario. – Thomas May 10 '22 at 13:54
0

Verify if the new/updated cert file (.cer and .csr) is available in the \lib\security folder, before restarting tomcat

Padmanjali AV
  • 1
-1

You did not add the alias to the key store. the default alias is 1 and you can change it by this command.

keytool -list -v -keystore cert.p12 -alias 1

cert.p12 is the path of the key store 1 is default and it prompts for key store password and new alias key.

hamidreza75
  • 567
  • 6
  • 15