Alias name does not identify a key entry

Discussion:

Cybulski, Adam M

2018-06-26 15:03:13 UTC

Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm unable to start the SSL connector.

My connector syntax is as follows:

<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />

<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="c:\tomcat8\meg.keystore"
keystorePass="keystorepass"
keyAlias="meg" />

To which I receive this error in Catalina.log:

SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does not identify a key entry

However, meg is in my keystore:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Jun 25, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:
68:85:18:68
meg, Jun 25, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B:
6F:24:D1:59
tomcat, Jun 25, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70:
84:C8:16:82

I used these steps to manage the certs:

keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore

keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore

Sent CSR to InCommon CA, downloaded x509 certificate, and x509 intermedites/root certificates.

keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"

keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"

Any help you can give me in resolving this error is greatly appreciated.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Jose María Zaragoza

2018-06-26 15:55:47 UTC

Permalink

El mar., 26 jun. 2018 a las 17:03, Cybulski, Adam M

Post by Cybulski, Adam M
Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm unable to start the SSL connector.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443"
protocol="HTTP/1.1"
maxThreads="150"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="c:\tomcat8\meg.keystore"
keystorePass="keystorepass"
keyAlias="meg" />
SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does not identify a key entry
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Jun 25, 2018, trustedCertEntry,
68:85:18:68
meg, Jun 25, 2018, trustedCertEntry,
6F:24:D1:59
tomcat, Jun 25, 2018, PrivateKeyEntry,
84:C8:16:82
keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore
keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
Sent CSR to InCommon CA, downloaded x509 certificate, and x509 intermedites/root certificates.
keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Any help you can give me in resolving this error is greatly appreciated.
---------------------------------------------------------------------

Hi

I guess that meg entry should be a PrivateKeyEntry ( public
certificate + private key ) , not a trustedCertEntry
I think that meg_library_albany_edu_cert.cer only contains a public certificate

Honestly, I use openssl to create .p12 key stores
Something like

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out
KEYSTORE.p12 -name "meg" -CAfile MY-CA-CERT.crt -caname myCA -chain

Regards

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Christopher Schultz

2018-06-26 16:14:13 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

The error message is correct: your alias identifies a "trusted

Post by Cybulski, Adam M
tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint
84:C8:16:82

^^^ This one.

Post by Cybulski, Adam M
keytool -genkey -alias tomcat -keyalg RSA -keystore
c:\Tomcat8\meg.keystore
keytool -certreq -keyalg RSA -alias tomcat -file
c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
Sent CSR to InCommon CA, downloaded x509 certificate, and x509
intermedites/root certificates.
keytool -import -alias root -keystore c:\Tomcat8\meg.keystore
-trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the
first step. That will update the self-signed certificate with the
CA-signed certificate.

Post by Cybulski, Adam M
Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and (not quickly enough)
dropped from Java.

Hope that helps.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8
pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I
OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv
ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P
DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY
I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz
uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4
v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL
5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60
fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0
jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3
fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg=
=q1tu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Cybulski, Adam M

2018-06-26 17:32:54 UTC

Permalink

Hi Chris, Thanks for the help,

Post by Cybulski, Adam M
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the first step. That will update the self-signed >certificate with the CA-signed certificate.

I deleted the keystore and the certs and started over so there wouldn't be any garbage data in it, I followed all the same steps as before, but when I get to this one I used the command:

keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"

It returned the error: keytool error: java.lang.Exception: Failed to establish chain from reply

Post by Cybulski, Adam M
Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and >(not quickly enough) dropped from Java.

Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated.

-----Original Message-----
From: Christopher Schultz <***@christopherschultz.net>
Sent: Tuesday, June 26, 2018 12:14 PM
To: ***@tomcat.apache.org
Subject: Re: Alias name does not identify a key entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm
unable to start the SSL connector.
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" /> <Connector
port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
secure="true" SSLEnabled="true"
keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass"
keyAlias="meg" />
SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to
initialize end point associated with ProtocolHandler
java.io.IOException: Alias name meg does not identify a key entry
Keystore type: JKS Keystore provider: SUN
Your keystore contains 3 entries
root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint
68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate
72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59
tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint
84:C8:16:82

^^^ This one.

keytool -genkey -alias tomcat -keyalg RSA -keystore
c:\Tomcat8\meg.keystore
keytool -certreq -keyalg RSA -alias tomcat -file
c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
Sent CSR to InCommon CA, downloaded x509 certificate, and x509
intermedites/root certificates.
keytool -import -alias root -keystore c:\Tomcat8\meg.keystore
-trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the first step. That will update the self-signed certificate with the CA-signed certificate.

Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and (not quickly enough) dropped from Java.

Hope that helps.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8
pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I
OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv
ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P
DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY
I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz
uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4
v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL
5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60
fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0
jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3
fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg=
=q1tu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[

Mark Thomas

2018-06-26 17:42:33 UTC

Permalink

Post by Cybulski, Adam M
Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated.

http://tomcat.apache.org/presentations.html

Look for the TLS generation presentation from the 2016 webinar series.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Shawn Heisey

2018-06-27 17:27:48 UTC

Permalink

Post by Mark Thomas

Post by Cybulski, Adam M
Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated.

http://tomcat.apache.org/presentations.html
Look for the TLS generation presentation from the 2016 webinar series.

I don't see anything in that presentation about pkcs12. I see PEM for
the APR connector and JKS for the java connectors.

Can Java programs like Tomcat use pkcs12 stores created by other tools?
I know how to use openssl to create a pkcs12 file for software on
Windows (typically for IIS, which is used by Exchange). I use a command
like this:

openssl pkcs12 -export -in www.example.com.pem -inkey www.example.com.key \
-out examplecert.p12 -CAfile intermediate.pem

Thanks,
Shawn

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Christopher Schultz

2018-06-27 20:23:42 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Shawn,

Post by Mark Thomas

Post by Cybulski, Adam M
Can you aim me at a guide to this? The steps I've been
following are just from whatever I've found online. Most of the
articles seem pretty dated.

http://tomcat.apache.org/presentations.html
Look for the TLS generation presentation from the 2016 webinar series.

Tomcat doesn't do anything special with a keystore that any other
Java-based software might do. Theoretically, all keystore types
supported by Java are equivalent. All Tomcat does is call
KeyStore.getInstance(keystoreType) or whatever. The keystore type is
passed directly into the Java API.

I have recently been switching from JKS keystores to PKCS12 and I
haven't had any problems using openssl's pkcs12 command to manipulate
anything.

That being said, Java sometimes complains about things that really
shouldn't be a problem, such as having a keystore entry without an
alias (which is legal, and I believe openssl will let you do it). So
YMMV but you should be able to "correct" any of those issues with
another tool (e.g. openssl's pkcs12) and get it to work.

But Tomcat doesn't care.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsz8k0ACgkQHPApP6U8
pFgLIxAAgYJQ4wxTLBv/hoA9iV0BmQ5cRaHOZtwRibfqQegGmkb5Gx8nNwC8wlAQ
Q5zDSLN4cZUWKl3CFZAzO1LaIPGku+cU850eVoC6EQAvIPl1yfCfcKU50pYe2pya
gEquS/QRF+23DV5uggv/3X1tUJAnMF2Xc/QNgRA0d8ovD8dVrYMhRu2S4Ze7ofVA
uqQHHQHXejpkzAJeNt5he1zq1NhZseJqL2t/QBy/KMWG4cUPk+e7BVx3LkrmJQyW
t5hjRa2JmIof3/B7pIEdrbPY9gOh9G1+FYkI/L3V4QTjjThnQEOHA/LhgUOBsXCd
zfpgPIg5vfR08D0r5gc4AsLQbRKoTIEz+DflAiclvXHt4hYA39S9TtU5kxEOv0O/
LsIB3Iyau0BlKHbSQZXXFt2lKaZ7Pkz8rWTON/K9opWWs/hqEgKNs2GOCT7c2NVz
LkK76km2gdHBRjjnT0a5QICAHLMiLYB8j7XhmmYyK7+rMm2eyttE1OujZ4Zr8bia
r3X29NhU8jMSp6Q1l9IfFtc7jLDhqs+NNFQMqa7DnKSdS/ekuuSh//xYseagz0ZY
uHk8vlMjoGTRiRUIrtR43uHRpv8wPfyB+D2/6ckCDW7sNwgVFLbA3V97EjOwDw8m
0GNLYgwdo/83OG33i1M7qXeieTLDjVt1jki2M2Vc7kcn0eekKtY=
=CY6R
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Christopher Schultz

2018-06-26 18:05:57 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

Post by Cybulski, Adam M
Hi Chris, Thanks for the help,

Post by Christopher Schultz

Post by Cybulski, Adam M
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore
-file "C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as
the first step. That will update the self-signed >certificate
with the CA-signed certificate.

I deleted the keystore and the certs and started over so there
wouldn't be any garbage data in it, I followed all the same steps
keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore
-file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
It returned the error: keytool error: java.lang.Exception: Failed
to establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise
you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised
and I'd like a replacement". They should do it for free.

Post by Cybulski, Adam M

Post by Christopher Schultz

Post by Cybulski, Adam M
Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and >(not quickly enough)
dropped from Java.

Can you aim me at a guide to this? The steps I've been following
are just from whatever I've found online. Most of the articles seem
pretty dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you
execute. Otherwise, the default is the JKS "Java KeyStore" keystore type
.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

Cybulski, Adam M

2018-06-26 18:08:20 UTC

Permalink

Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA >to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget!

-----Original Message-----
From: Christopher Schultz <***@christopherschultz.net>
Sent: Tuesday, June 26, 2018 2:06 PM
To: ***@tomcat.apache.org
Subject: Re: Alias name does not identify a key entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

Hi Chris, Thanks for the help,

Post by Christopher Schultz

Post by Cybulski, Adam M
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the
first step. That will update the self-signed >certificate with the
CA-signed certificate.

I deleted the keystore and the certs and started over so there
wouldn't be any garbage data in it, I followed all the same steps as
keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer"
It returned the error: keytool error: java.lang.Exception: Failed to
establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free.

Post by Christopher Schultz

Post by Cybulski, Adam M
Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and >(not quickly enough)
dropped from Java.

Can you aim me at a guide to this? The steps I've been following are
just from whatever I've found online. Most of the articles seem pretty
dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-m

Cybulski, Adam M

2018-06-26 18:25:08 UTC

Permalink

I got the same error,

C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\
tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
Enter keystore password:

C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor
e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <addtrustexter
nalca>
Do you still want to add it to your own keystore? [no]: y
Certificate was added to keystore

C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst
ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply

-----Original Message-----
From: Cybulski, Adam M <***@albany.edu>
Sent: Tuesday, June 26, 2018 2:08 PM
To: Tomcat Users List <***@tomcat.apache.org>
Subject: RE: Alias name does not identify a key entry

Hi Chris, Thanks for the help,

Post by Christopher Schultz

Post by Cybulski, Adam M
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the
first step. That will update the self-signed >certificate with the
CA-signed certificate.

Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free.

Post by Christopher Schultz

Post by Cybulski, Adam M
Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and >(not quickly enough)
dropped from Java.

Can you aim me at a guide to this? The steps I've been following are
just from whatever I've found online. Most of the articles seem pretty
dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[

Cybulski, Adam M

2018-06-26 18:36:37 UTC

Permalink

Ok, I worked it out. I had to extract all the intermediate certificates from the root/intermediate certificate, and import them separately.

Thanks for all your help, I have it up and running now!

-----Original Message-----
From: Cybulski, Adam M <***@albany.edu>
Sent: Tuesday, June 26, 2018 2:25 PM
To: Tomcat Users List <***@tomcat.apache.org>
Subject: RE: Alias name does not identify a key entry

I got the same error,

C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore password:

C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <addtrustexter
nalca>
Do you still want to add it to your own keystore? [no]: y Certificate was added to keystore

C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply

-----Original Message-----
From: Cybulski, Adam M <***@albany.edu>
Sent: Tuesday, June 26, 2018 2:08 PM
To: Tomcat Users List <***@tomcat.apache.org>
Subject: RE: Alias name does not identify a key entry

Hi Chris, Thanks for the help,

Post by Christopher Schultz

Post by Cybulski, Adam M
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the
first step. That will update the self-signed >certificate with the
CA-signed certificate.

Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free.

Post by Christopher Schultz

Post by Cybulski, Adam M
Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and >(not quickly enough)
dropped from Java.

Can you aim me at a guide to this? The steps I've been following are
just from whatever I've found online. Most of the articles seem pretty
dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB [ X ܚX KK[XZ[
\ \ ][ X ܚX P X ]
\X K ܙ B ܈Y][ۘ[ [X[ K[XZ[
\ \ Z[ X ]
\X K ܙ B
B�KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB��[��X��ܚX�KK[XZ[�\�\��][��X��ܚX�P�X�]�\X�K�ܙ�B��܈Y][ۘ[��[X[��K[

Christopher Schultz

2018-06-27 13:19:08 UTC

Permalink

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

Post by Cybulski, Adam M
Ok, I worked it out. I had to extract all the intermediate
certificates from the root/intermediate certificate, and import
them separately.

Yes, yet another thing that keytool isn't good at is importing
multiple certificates at once. It appears to work (i.e. doesn't
complain when importing a file containing multiple certificates) but
only imports the first one.

The great thing about using PKCS12 files is that you can abandon
keytool altogether except for testing (to see if Java can read the
file properly). OpenSSL's PKCs12 tools are more flexible than Java's
keytool.

- -chris

Post by Cybulski, Adam M
Thanks for all your help, I have it up and running now!
-----Original Message----- From: Cybulski, Adam M
does not identify a key entry
I got the same error,
C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat
-file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
C:\Windows\system32>keytool -import -alias root -keystore
c:\Tomcat8\meg.keystor e -trustcacerts -file
"C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore
password: Certificate already exists in system-wide CA keystore
under alias <addtrustexter nalca> Do you still want to add it to
your own keystore? [no]: y Certificate was added to keystore
C:\Windows\system32>keytool -import -alias tomcat -keystore
c:\Tomcat8\meg.keyst ore -file
"C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore
password: keytool error: java.lang.Exception: Failed to establish
chain from reply
-----Original Message----- From: Cybulski, Adam M
does not identify a key entry

Post by Christopher Schultz
Did you re-create your private key? I hope you kept a backup
otherwise you might have to get your CA >to re-sign the
certificate from scratch. If they try to charge you again just
say "my key has been compromised and I'd like a replacement".
They >should do it for free.

Post by Christopher Schultz
Hi Chris, Thanks for the help,

Post by Christopher Schultz

Post by Cybulski, Adam M
keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore
-file "C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias
as the first step. That will update the self-signed

Post by Cybulski, Adam M
certificate with the CA-signed certificate.

Did you re-create your private key? I hope you kept a backup
otherwise you might have to get your CA to re-sign the certificate
from scratch. If they try to charge you again just say "my key has
been compromised and I'd like a replacement". They should do it for
free.

Post by Christopher Schultz

Post by Cybulski, Adam M
Any help you can give me in resolving this error is greatly
appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since
those Java-specific ones are being deprecated and >(not quickly
enough) dropped from Java.

Can you aim me at a guide to this? The steps I've been following
are just from whatever I've found online. Most of the articles
seem pretty dated.

No particular guide (other than the one Mark posted in reply). To
use PKCS12 files, just add "-storetype PKCS12" to every command you
execute. Otherwise, the default is the JKS "Java KeyStore" keystore
type .
-chris
---------------------------------------------------------------------
---------------------------------------------------------------------
B
KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
[ X ܚX KK[XZ[ \ \ ][ X ܚX P X ] \X K ܙ B
܈Y][ۘ[ [X[ K[XZ[ \ \ Z[ X ] \X K ܙ B
---------------------------------------------------------------------

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlszjswACgkQHPApP6U8
pFi4pBAAnTSKdGlAME6hjRwfOdFctmjvXKY3+bsdpemgbxEwnm6Q2ZiwWY+cya2p
NfvqsolHmlpe0ZQR3pKAj206S3ddUUkm6v7ZNRvdgW0AguXr5SEQrdnpG/2NK79/
Kk1dwgPopR2QxyL3h3XmUunLfM9F5F/znztUL7LJacIy+JrtrC3wmncuoBz/RZrB
RVP3HaFh5QPYXePYCqJewd1AlIR4HaR8rzdVtkRvRAe5Ze5QW7mTm3ruV+fryyl7
X0HrDsnR3tF02yU9q/tS0WP1OM3KMbVIRcEFHm0m7Fbtx+tEsuO8DrIZa7nNBDB7
p4M/3r4HG2r/RSYj7UEMCXxuxGN5ykm0UaxwrsJsqmagYxFp1dgt3hyF5wB4wHGP
mJdXnkWb4G3ovr0B3gWX06vxeVLTal9IOco/vSUL/Gd30wJTsIlIDFIhzTYbWhXg
hQ9BzlsgG0eyi13RJfGEuy7CKWDuzpty1aaFQ3NQ3OY1V0HN3mNB2LYH+gHozMi3
Zay2if7U7sNJLKurZ3mgxhqIWgGp0oIH4yu4d41u15SK1+nt9Ua4xlqRPUTMyOgZ
cBKjSdF0dyc/GeICLX0pGKK/dV5QFqN5gbUNughfB9WtLGzqeL3Kz3EK45WbM03Y
x8QAv+tTzxFb43uGpQD3oLXSFiMHI4+3sTa187EiGUUN6NhUwno=
=iYNL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-***@tomcat.apache.org
For additional commands, e-mail: users-***@tomcat.apache.org