-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 11:03 AM, Cybulski, Adam M wrote:
> 
> Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm
> unable to start the SSL connector.
> 
> My connector syntax is as follows:
> 
> <Connector port="8080" protocol="HTTP/1.1" 
> connectionTimeout="20000" redirectPort="8443" />  <Connector
> port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https" 
> secure="true" SSLEnabled="true" 
> keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass"
>  keyAlias="meg" />
> 
> To which I receive this error in Catalina.log:
> 
> SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to
> initialize end point associated with ProtocolHandler
> ["https-openssl-nio-8443"] java.lang.IllegalArgumentException:
> java.io.IOException: Alias name meg does not identify a key entry
> 
> However, meg is in my keystore:
> 
> 
> 
> Keystore type: JKS Keystore provider: SUN
> 
> Your keystore contains 3 entries
> 
> root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint
> (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B: 
> 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate
> fingerprint (SHA1):
> 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59

The error message is correct: your alias identifies a "trusted
certificate", not a private key. So use the "private key" alias instead:

> tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint
> (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70: 
> 84:C8:16:82

^^^ This one.

> I used these steps to manage the certs:
> 
> keytool -genkey -alias tomcat -keyalg RSA -keystore
> c:\Tomcat8\meg.keystore
> 
> keytool -certreq -keyalg RSA -alias tomcat -file
> c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
> 
> Sent CSR to InCommon CA, downloaded x509 certificate, and x509
> intermedites/root certificates.
> 
> keytool -import -alias root -keystore c:\Tomcat8\meg.keystore
> -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
> 
> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the
first step. That will update the self-signed certificate with the
CA-signed certificate.

> Any help you can give me in resolving this error is greatly
> appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and (not quickly enough)
dropped from Java.

Hope that helps.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8
pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I
OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv
ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P
DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY
I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz
uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4
v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL
5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60
fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0
jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3
fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg=
=q1tu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to