Hi Chris, Thanks for the help, >> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >That last step should have been to import using the same alias as the first >step. That will update the self-signed >certificate with the CA-signed >certificate.
I deleted the keystore and the certs and started over so there wouldn't be any garbage data in it, I followed all the same steps as before, but when I get to this one I used the command: keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" It returned the error: keytool error: java.lang.Exception: Failed to establish chain from reply >> Any help you can give me in resolving this error is greatly >> appreciated. >You should switch from JKS/JCEKS to PKCS12 keystores, since those >Java-specific ones are being deprecated and >(not quickly enough) dropped from >Java. Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated. -----Original Message----- From: Christopher Schultz <ch...@christopherschultz.net> Sent: Tuesday, June 26, 2018 12:14 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Adam, On 6/26/18 11:03 AM, Cybulski, Adam M wrote: > > Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm > unable to start the SSL connector. > > My connector syntax is as follows: > > <Connector port="8080" protocol="HTTP/1.1" > connectionTimeout="20000" redirectPort="8443" /> <Connector > port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https" > secure="true" SSLEnabled="true" > keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass" > keyAlias="meg" /> > > To which I receive this error in Catalina.log: > > SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to > initialize end point associated with ProtocolHandler > ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: > java.io.IOException: Alias name meg does not identify a key entry > > However, meg is in my keystore: > > > > Keystore type: JKS Keystore provider: SUN > > Your keystore contains 3 entries > > root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint > (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: > 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate > fingerprint (SHA1): > 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59 The error message is correct: your alias identifies a "trusted certificate", not a private key. So use the "private key" alias instead: > tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint > (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: > 84:C8:16:82 ^^^ This one. > I used these steps to manage the certs: > > keytool -genkey -alias tomcat -keyalg RSA -keystore > c:\Tomcat8\meg.keystore > > keytool -certreq -keyalg RSA -alias tomcat -file > c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore > > Sent CSR to InCommon CA, downloaded x509 certificate, and x509 > intermedites/root certificates. > > keytool -import -alias root -keystore c:\Tomcat8\meg.keystore > -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" > > keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" That last step should have been to import using the same alias as the first step. That will update the self-signed certificate with the CA-signed certificate. > Any help you can give me in resolving this error is greatly > appreciated. You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and (not quickly enough) dropped from Java. Hope that helps. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8 pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4 v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL 5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60 fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0 jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3 fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg= =q1tu -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
