Re: Alias name does not identify a key entry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Shawn, On 6/27/18 1:27 PM, Shawn Heisey wrote: > On 6/26/2018 11:42 AM, Mark Thomas wrote: >> On 26/06/18 18:32, Cybulski, Adam M wrote: >>> Can you aim me at a guide to this? The steps I've been >>> following are just from whatever I've found online. Most of the >>> articles seem pretty dated. >> http://tomcat.apache.org/presentations.html >> >> Look for the TLS generation presentation from the 2016 webinar >> series. > > I don't see anything in that presentation about pkcs12. I see PEM > for the APR connector and JKS for the java connectors. > > Can Java programs like Tomcat use pkcs12 stores created by other > tools? I know how to use openssl to create a pkcs12 file for > software on Windows (typically for IIS, which is used by Exchange). > I use a command like this: > > openssl pkcs12 -export -in www.example.com.pem -inkey > www.example.com.key \ -out examplecert.p12 -CAfile > intermediate.pem Tomcat doesn't do anything special with a keystore that any other Java-based software might do. Theoretically, all keystore types supported by Java are equivalent. All Tomcat does is call KeyStore.getInstance(keystoreType) or whatever. The keystore type is passed directly into the Java API. I have recently been switching from JKS keystores to PKCS12 and I haven't had any problems using openssl's pkcs12 command to manipulate anything. That being said, Java sometimes complains about things that really shouldn't be a problem, such as having a keystore entry without an alias (which is legal, and I believe openssl will let you do it). So YMMV but you should be able to "correct" any of those issues with another tool (e.g. openssl's pkcs12) and get it to work. But Tomcat doesn't care. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsz8k0ACgkQHPApP6U8 pFgLIxAAgYJQ4wxTLBv/hoA9iV0BmQ5cRaHOZtwRibfqQegGmkb5Gx8nNwC8wlAQ Q5zDSLN4cZUWKl3CFZAzO1LaIPGku+cU850eVoC6EQAvIPl1yfCfcKU50pYe2pya gEquS/QRF+23DV5uggv/3X1tUJAnMF2Xc/QNgRA0d8ovD8dVrYMhRu2S4Ze7ofVA uqQHHQHXejpkzAJeNt5he1zq1NhZseJqL2t/QBy/KMWG4cUPk+e7BVx3LkrmJQyW t5hjRa2JmIof3/B7pIEdrbPY9gOh9G1+FYkI/L3V4QTjjThnQEOHA/LhgUOBsXCd zfpgPIg5vfR08D0r5gc4AsLQbRKoTIEz+DflAiclvXHt4hYA39S9TtU5kxEOv0O/ LsIB3Iyau0BlKHbSQZXXFt2lKaZ7Pkz8rWTON/K9opWWs/hqEgKNs2GOCT7c2NVz LkK76km2gdHBRjjnT0a5QICAHLMiLYB8j7XhmmYyK7+rMm2eyttE1OujZ4Zr8bia r3X29NhU8jMSp6Q1l9IfFtc7jLDhqs+NNFQMqa7DnKSdS/ekuuSh//xYseagz0ZY uHk8vlMjoGTRiRUIrtR43uHRpv8wPfyB+D2/6ckCDW7sNwgVFLbA3V97EjOwDw8m 0GNLYgwdo/83OG33i1M7qXeieTLDjVt1jki2M2Vc7kcn0eekKtY= =CY6R -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
On 6/26/2018 11:42 AM, Mark Thomas wrote: > On 26/06/18 18:32, Cybulski, Adam M wrote: >> Can you aim me at a guide to this? The steps I've been following are just >> from whatever I've found online. Most of the articles seem pretty dated. > http://tomcat.apache.org/presentations.html > > Look for the TLS generation presentation from the 2016 webinar series. I don't see anything in that presentation about pkcs12. I see PEM for the APR connector and JKS for the java connectors. Can Java programs like Tomcat use pkcs12 stores created by other tools? I know how to use openssl to create a pkcs12 file for software on Windows (typically for IIS, which is used by Exchange). I use a command like this: openssl pkcs12 -export -in www.example.com.pem -inkey www.example.com.key \ -out examplecert.p12 -CAfile intermediate.pem Thanks, Shawn - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 2:36 PM, Cybulski, Adam M wrote: > Ok, I worked it out. I had to extract all the intermediate > certificates from the root/intermediate certificate, and import > them separately. Yes, yet another thing that keytool isn't good at is importing multiple certificates at once. It appears to work (i.e. doesn't complain when importing a file containing multiple certificates) but only imports the first one. The great thing about using PKCS12 files is that you can abandon keytool altogether except for testing (to see if Java can read the file properly). OpenSSL's PKCs12 tools are more flexible than Java's keytool. - -chris > Thanks for all your help, I have it up and running now! > > -Original Message- From: Cybulski, Adam M > Sent: Tuesday, June 26, 2018 2:25 PM To: > Tomcat Users List Subject: RE: Alias name > does not identify a key entry > > I got the same error, > > C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat > -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore > Enter keystore password: > > C:\Windows\system32>keytool -import -alias root -keystore > c:\Tomcat8\meg.keystor e -trustcacerts -file > "C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore > password: Certificate already exists in system-wide CA keystore > under alias Do you still want to add it to > your own keystore? [no]: y Certificate was added to keystore > > C:\Windows\system32>keytool -import -alias tomcat -keystore > c:\Tomcat8\meg.keyst ore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore > password: keytool error: java.lang.Exception: Failed to establish > chain from reply > > > > > -Original Message- From: Cybulski, Adam M > Sent: Tuesday, June 26, 2018 2:08 PM To: > Tomcat Users List Subject: RE: Alias name > does not identify a key entry > >> Did you re-create your private key? I hope you kept a backup >> otherwise you might have to get your CA >to re-sign the >> certificate from scratch. If they try to charge you again just >> say "my key has been compromised and I'd like a replacement". >> They >should do it for free. > > I did recreate it, I'll do a whole new request rather than an > update request. We have an education license, so it's not coming > out of my budget! > > -Original Message- From: Christopher Schultz > Sent: Tuesday, June 26, 2018 2:06 > PM To: users@tomcat.apache.org Subject: Re: Alias name does not > identify a key entry > > Adam, > > On 6/26/18 1:32 PM, Cybulski, Adam M wrote: >> Hi Chris, Thanks for the help, > >>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore >>>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" >>> That last step should have been to import using the same alias >>> as the first step. That will update the self-signed >>> >certificate with the CA-signed certificate. > >> I deleted the keystore and the certs and started over so there >> wouldn't be any garbage data in it, I followed all the same steps >> as before, but when I get to this one I used the command: > >> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore >> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" > >> It returned the error: keytool error: java.lang.Exception: Failed >> to establish chain from reply > > Did you re-create your private key? I hope you kept a backup > otherwise you might have to get your CA to re-sign the certificate > from scratch. If they try to charge you again just say "my key has > been compromised and I'd like a replacement". They should do it for > free. > >>>> Any help you can give me in resolving this error is greatly >>>> appreciated. > >>> You should switch from JKS/JCEKS to PKCS12 keystores, since >>> those Java-specific ones are being deprecated and >(not quickly >>> enough) dropped from Java. > >> Can you aim me at a guide to this? The steps I've been following >> are just from whatever I've found online. Most of the articles >> seem pretty dated. > > No particular guide (other than the one Mark posted in reply). To > use PKCS12 files, just add "-storetype PKCS12" to every command you > execute. Otherwise, the default is the JKS "Java KeyStore" keystore > type . > > -chris > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.a
RE: Alias name does not identify a key entry
Ok, I worked it out. I had to extract all the intermediate certificates from the root/intermediate certificate, and import them separately. Thanks for all your help, I have it up and running now! -Original Message- From: Cybulski, Adam M Sent: Tuesday, June 26, 2018 2:25 PM To: Tomcat Users List Subject: RE: Alias name does not identify a key entry I got the same error, C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore password: C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore password: Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: y Certificate was added to keystore C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore password: keytool error: java.lang.Exception: Failed to establish chain from reply -Original Message- From: Cybulski, Adam M Sent: Tuesday, June 26, 2018 2:08 PM To: Tomcat Users List Subject: RE: Alias name does not identify a key entry >Did you re-create your private key? I hope you kept a backup otherwise you >might have to get your CA >to re-sign the certificate from scratch. >If they try to charge you again just say "my key has been compromised and I'd >like a replacement". They >should do it for free. I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget! -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 2:06 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >>> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as the >> first step. That will update the self-signed >certificate with the >> CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps as > before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed to > establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following are > just from whatever I've found online. Most of the articles seem pretty > dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands
RE: Alias name does not identify a key entry
I got the same error, C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore password: C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore password: Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: y Certificate was added to keystore C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore password: keytool error: java.lang.Exception: Failed to establish chain from reply -Original Message- From: Cybulski, Adam M Sent: Tuesday, June 26, 2018 2:08 PM To: Tomcat Users List Subject: RE: Alias name does not identify a key entry >Did you re-create your private key? I hope you kept a backup otherwise you >might have to get your CA >to re-sign the certificate from scratch. >If they try to charge you again just say "my key has been compromised and I'd >like a replacement". They >should do it for free. I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget! -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 2:06 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >>> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as the >> first step. That will update the self-signed >certificate with the >> CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps as > before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed to > establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following are > just from whatever I've found online. Most of the articles seem pretty > dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Alias name does not identify a key entry
>Did you re-create your private key? I hope you kept a backup otherwise you >might have to get your CA >to re-sign the certificate from scratch. >If they try to charge you again just say "my key has been compromised and I'd >like a replacement". They >should do it for free. I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget! -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 2:06 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >>> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as the >> first step. That will update the self-signed >certificate with the >> CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps as > before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed to > establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following are > just from whatever I've found online. Most of the articles seem pretty > dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 1:32 PM, Cybulski, Adam M wrote: > Hi Chris, Thanks for the help, > >>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore >>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" >> That last step should have been to import using the same alias as >> the first step. That will update the self-signed >certificate >> with the CA-signed certificate. > > I deleted the keystore and the certs and started over so there > wouldn't be any garbage data in it, I followed all the same steps > as before, but when I get to this one I used the command: > > keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore > -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > It returned the error: keytool error: java.lang.Exception: Failed > to establish chain from reply Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch. If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free. >>> Any help you can give me in resolving this error is greatly >>> appreciated. > >> You should switch from JKS/JCEKS to PKCS12 keystores, since those >> Java-specific ones are being deprecated and >(not quickly enough) >> dropped from Java. > > Can you aim me at a guide to this? The steps I've been following > are just from whatever I've found online. Most of the articles seem > pretty dated. No particular guide (other than the one Mark posted in reply). To use PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8 pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8 3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1 xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx 1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2 mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A= =WIvh -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
On 26/06/18 18:32, Cybulski, Adam M wrote: > Can you aim me at a guide to this? The steps I've been following are just > from whatever I've found online. Most of the articles seem pretty dated. http://tomcat.apache.org/presentations.html Look for the TLS generation presentation from the 2016 webinar series. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Alias name does not identify a key entry
Hi Chris, Thanks for the help, >> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file >> "C:\Tomcat8\meg_library_albany_edu_cert.cer" >That last step should have been to import using the same alias as the first >step. That will update the self-signed >certificate with the CA-signed >certificate. I deleted the keystore and the certs and started over so there wouldn't be any garbage data in it, I followed all the same steps as before, but when I get to this one I used the command: keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" It returned the error: keytool error: java.lang.Exception: Failed to establish chain from reply >> Any help you can give me in resolving this error is greatly >> appreciated. >You should switch from JKS/JCEKS to PKCS12 keystores, since those >Java-specific ones are being deprecated and >(not quickly enough) dropped from >Java. Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated. -Original Message- From: Christopher Schultz Sent: Tuesday, June 26, 2018 12:14 PM To: users@tomcat.apache.org Subject: Re: Alias name does not identify a key entry -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 11:03 AM, Cybulski, Adam M wrote: > > Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm > unable to start the SSL connector. > > My connector syntax is as follows: > > connectionTimeout="2" redirectPort="8443" /> port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https" > secure="true" SSLEnabled="true" > keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass" > keyAlias="meg" /> > > To which I receive this error in Catalina.log: > > SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to > initialize end point associated with ProtocolHandler > ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: > java.io.IOException: Alias name meg does not identify a key entry > > However, meg is in my keystore: > > > > Keystore type: JKS Keystore provider: SUN > > Your keystore contains 3 entries > > root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint > (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: > 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate > fingerprint (SHA1): > 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59 The error message is correct: your alias identifies a "trusted certificate", not a private key. So use the "private key" alias instead: > tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint > (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: > 84:C8:16:82 ^^^ This one. > I used these steps to manage the certs: > > keytool -genkey -alias tomcat -keyalg RSA -keystore > c:\Tomcat8\meg.keystore > > keytool -certreq -keyalg RSA -alias tomcat -file > c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore > > Sent CSR to InCommon CA, downloaded x509 certificate, and x509 > intermedites/root certificates. > > keytool -import -alias root -keystore c:\Tomcat8\meg.keystore > -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" > > keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" That last step should have been to import using the same alias as the first step. That will update the self-signed certificate with the CA-signed certificate. > Any help you can give me in resolving this error is greatly > appreciated. You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and (not quickly enough) dropped from Java. Hope that helps. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8 pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4 v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL 5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60 fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0 jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3 fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg= =q1tu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Adam, On 6/26/18 11:03 AM, Cybulski, Adam M wrote: > > Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm > unable to start the SSL connector. > > My connector syntax is as follows: > > connectionTimeout="2" redirectPort="8443" /> port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https" > secure="true" SSLEnabled="true" > keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass" > keyAlias="meg" /> > > To which I receive this error in Catalina.log: > > SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to > initialize end point associated with ProtocolHandler > ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: > java.io.IOException: Alias name meg does not identify a key entry > > However, meg is in my keystore: > > > > Keystore type: JKS Keystore provider: SUN > > Your keystore contains 3 entries > > root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint > (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: > 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate > fingerprint (SHA1): > 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59 The error message is correct: your alias identifies a "trusted certificate", not a private key. So use the "private key" alias instead: > tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint > (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: > 84:C8:16:82 ^^^ This one. > I used these steps to manage the certs: > > keytool -genkey -alias tomcat -keyalg RSA -keystore > c:\Tomcat8\meg.keystore > > keytool -certreq -keyalg RSA -alias tomcat -file > c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore > > Sent CSR to InCommon CA, downloaded x509 certificate, and x509 > intermedites/root certificates. > > keytool -import -alias root -keystore c:\Tomcat8\meg.keystore > -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" > > keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" That last step should have been to import using the same alias as the first step. That will update the self-signed certificate with the CA-signed certificate. > Any help you can give me in resolving this error is greatly > appreciated. You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and (not quickly enough) dropped from Java. Hope that helps. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8 pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4 v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL 5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60 fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0 jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3 fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg= =q1tu -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Alias name does not identify a key entry
El mar., 26 jun. 2018 a las 17:03, Cybulski, Adam M () escribió: > > > Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm unable to > start the SSL connector. > > My connector syntax is as follows: > > connectionTimeout="2" >redirectPort="8443" /> > >protocol="HTTP/1.1" >maxThreads="150" >scheme="https" >secure="true" >SSLEnabled="true" >keystoreFile="c:\tomcat8\meg.keystore" >keystorePass="keystorepass" >keyAlias="meg" /> > > To which I receive this error in Catalina.log: > > SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize > end point associated with ProtocolHandler ["https-openssl-nio-8443"] > java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does > not identify a key entry > > However, meg is in my keystore: > > > > Keystore type: JKS > Keystore provider: SUN > > Your keystore contains 3 entries > > root, Jun 25, 2018, trustedCertEntry, > Certificate fingerprint (SHA1): > 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: > 68:85:18:68 > meg, Jun 25, 2018, trustedCertEntry, > Certificate fingerprint (SHA1): > 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: > 6F:24:D1:59 > tomcat, Jun 25, 2018, PrivateKeyEntry, > Certificate fingerprint (SHA1): > AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: > 84:C8:16:82 > > I used these steps to manage the certs: > > keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore > > keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr > -keystore c:\Tomcat8\meg.keystore > > Sent CSR to InCommon CA, downloaded x509 certificate, and x509 > intermedites/root certificates. > > keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts > -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" > > keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file > "C:\Tomcat8\meg_library_albany_edu_cert.cer" > > Any help you can give me in resolving this error is greatly appreciated. > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > Hi I guess that meg entry should be a PrivateKeyEntry ( public certificate + private key ) , not a trustedCertEntry I think that meg_library_albany_edu_cert.cer only contains a public certificate Honestly, I use openssl to create .p12 key stores Something like openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out KEYSTORE.p12 -name "meg" -CAfile MY-CA-CERT.crt -caname myCA -chain Regards - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Alias name does not identify a key entry
Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine, and I'm unable to start the SSL connector. My connector syntax is as follows: To which I receive this error in Catalina.log: SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does not identify a key entry However, meg is in my keystore: Keystore type: JKS Keystore provider: SUN Your keystore contains 3 entries root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate fingerprint (SHA1): 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59 tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: 84:C8:16:82 I used these steps to manage the certs: keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Sent CSR to InCommon CA, downloaded x509 certificate, and x509 intermedites/root certificates. keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer" keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer" Any help you can give me in resolving this error is greatly appreciated. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
