Re: Alias name does not identify a key entry

Wed, 27 Jun 2018 06:19:19 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 2:36 PM, Cybulski, Adam M wrote:
> Ok, I worked it out. I had to extract all the intermediate
> certificates from the root/intermediate certificate, and import
> them separately.

Yes, yet another thing that keytool isn't good at is importing
multiple certificates at once. It appears to work (i.e. doesn't
complain when importing a file containing multiple certificates) but
only imports the first one.

The great thing about using PKCS12 files is that you can abandon
keytool altogether except for testing (to see if Java can read the
file properly). OpenSSL's PKCs12 tools are more flexible than Java's
keytool.

- -chris

> Thanks for all your help, I have it up and running now!
> 
> -----Original Message----- From: Cybulski, Adam M
> <acybul...@albany.edu> Sent: Tuesday, June 26, 2018 2:25 PM To:
> Tomcat Users List <users@tomcat.apache.org> Subject: RE: Alias name
> does not identify a key entry
> 
> I got the same error,
> 
> C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat
> -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
> Enter keystore password:
> 
> C:\Windows\system32>keytool -import -alias root -keystore
> c:\Tomcat8\meg.keystor e -trustcacerts -file
> "C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore
> password: Certificate already exists in system-wide CA keystore
> under alias <addtrustexter nalca> Do you still want to add it to
> your own keystore? [no]:  y Certificate was added to keystore
> 
> C:\Windows\system32>keytool -import -alias tomcat -keystore
> c:\Tomcat8\meg.keyst ore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore
> password: keytool error: java.lang.Exception: Failed to establish
> chain from reply
> 
> 
> 
> 
> -----Original Message----- From: Cybulski, Adam M
> <acybul...@albany.edu> Sent: Tuesday, June 26, 2018 2:08 PM To:
> Tomcat Users List <users@tomcat.apache.org> Subject: RE: Alias name
> does not identify a key entry
> 
>> Did you re-create your private key? I hope you kept a backup
>> otherwise you might have to get your CA >to re-sign the
>> certificate from scratch. If they try to charge you again just
>> say "my key has been compromised and I'd like a replacement".
>> They >should do it for free.
> 
> I did recreate it, I'll do a whole new request rather than an
> update request. We have an education license, so it's not coming
> out of my budget!
> 
> -----Original Message----- From: Christopher Schultz
> <ch...@christopherschultz.net> Sent: Tuesday, June 26, 2018 2:06
> PM To: users@tomcat.apache.org Subject: Re: Alias name does not
> identify a key entry
> 
> Adam,
> 
> On 6/26/18 1:32 PM, Cybulski, Adam M wrote:
>> Hi Chris, Thanks for the help,
> 
>>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore
>>>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>>> That last step should have been to import using the same alias
>>> as the first step. That will update the self-signed
>>> >certificate with the CA-signed certificate.
> 
>> I deleted the keystore and the certs and started over so there 
>> wouldn't be any garbage data in it, I followed all the same steps
>> as before, but when I get to this one I used the command:
> 
>> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore
>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
> 
>> It returned the error: keytool error: java.lang.Exception: Failed
>> to establish chain from reply
> 
> Did you re-create your private key? I hope you kept a backup
> otherwise you might have to get your CA to re-sign the certificate
> from scratch. If they try to charge you again just say "my key has
> been compromised and I'd like a replacement". They should do it for
> free.
> 
>>>> Any help you can give me in resolving this error is greatly 
>>>> appreciated.
> 
>>> You should switch from JKS/JCEKS to PKCS12 keystores, since
>>> those Java-specific ones are being deprecated and >(not quickly
>>> enough) dropped from Java.
> 
>> Can you aim me at a guide to this? The steps I've been following
>> are just from whatever I've found online. Most of the articles
>> seem pretty dated.
> 
> No particular guide (other than the one Mark posted in reply). To
> use PKCS12 files, just add "-storetype PKCS12" to every command you
> execute. Otherwise, the default is the JKS "Java KeyStore" keystore
> type .
> 
> -chris
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> B
> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>  [  X  ܚX KK[XZ[ \ \  ][  X  ܚX P X ] \X K ܙ B
> ܈Y][ۘ[  [X[  K[XZ[ \ \  Z[ X ] \X K ܙ B
> 
> ---------------------------------------------------------------------
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlszjswACgkQHPApP6U8
pFi4pBAAnTSKdGlAME6hjRwfOdFctmjvXKY3+bsdpemgbxEwnm6Q2ZiwWY+cya2p
NfvqsolHmlpe0ZQR3pKAj206S3ddUUkm6v7ZNRvdgW0AguXr5SEQrdnpG/2NK79/
Kk1dwgPopR2QxyL3h3XmUunLfM9F5F/znztUL7LJacIy+JrtrC3wmncuoBz/RZrB
RVP3HaFh5QPYXePYCqJewd1AlIR4HaR8rzdVtkRvRAe5Ze5QW7mTm3ruV+fryyl7
X0HrDsnR3tF02yU9q/tS0WP1OM3KMbVIRcEFHm0m7Fbtx+tEsuO8DrIZa7nNBDB7
p4M/3r4HG2r/RSYj7UEMCXxuxGN5ykm0UaxwrsJsqmagYxFp1dgt3hyF5wB4wHGP
mJdXnkWb4G3ovr0B3gWX06vxeVLTal9IOco/vSUL/Gd30wJTsIlIDFIhzTYbWhXg
hQ9BzlsgG0eyi13RJfGEuy7CKWDuzpty1aaFQ3NQ3OY1V0HN3mNB2LYH+gHozMi3
Zay2if7U7sNJLKurZ3mgxhqIWgGp0oIH4yu4d41u15SK1+nt9Ua4xlqRPUTMyOgZ
cBKjSdF0dyc/GeICLX0pGKK/dV5QFqN5gbUNughfB9WtLGzqeL3Kz3EK45WbM03Y
x8QAv+tTzxFb43uGpQD3oLXSFiMHI4+3sTa187EiGUUN6NhUwno=
=iYNL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to