Error: Alias name [null] does not identify a key entry during implementing SSL in Tomcat

2
votes

I am trying to implement SSL in tomcat 8 first time.

I have third party signed X.509 certificate in the form of .pem file.

However after configuration when I try to start tomcat, it is giving me following error:

22-Nov-2017 18:48:01.735 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"] 22-Nov-2017 18:48:01.897 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"] java.lang.IllegalArgumentException: java.io.IOException: Alias name [null] does not identify a key entry at ...

Following are the steps I have followed:

  1. Renamed certificate.pem to certificate.p7b.
  2. Applied following command to inport certificate into keystore:

D:\keytest2>keytool -import -alias tomcat -trustcacerts -file certificate.p7b -keystore keystore.kdb

Enter keystore password: test
Re-enter new password: test

...
...
Certificate was added to keystore

  1. Checked imported certificate:

D:\keytest2>keytool -list -v -keystore keystore.kd

Which gives me following outout:

Keystore type: JKS Keystore provider: SUN

Your keystore contains 1 entry

Alias name: tomcat Creation date: Nov 22, 2017 Entry type: trustedCertEntry ... ...

Tomcat Configuration:

<Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true" 
               keystoreFile="file:///D:/keytest2/keystore.kdb" keystorePass="test"
           clientAuth="false" sslProtocol="TLS">

Please guide me where I am doing wrong.

1
javatomcatsslx509pkcs#11
A CERTIFICATE IS NOT A PRIVATE KEY. Any SSL/TLS server needs a certificate (usually with a chain) AND the matching privatekey, and Java (including Tomcat traditionally) usually needs them in a keystore file as a PrivateKeyEntry NOT a TrustedCertEntry. (Tomcat 8.5 up has more flexibility as to the form, but the substance is the same.) If you generated the key (and CSR) give details of that; otherwise get it from whoever did. BTW p7b format is not the same as plain cert format, and thinking they are the same will confuse you, although the code ignores and is not confused by file extensions.dave_thompson_085
You are right. I don't have the private key. So I have tried to generate the certificate and key using openssl tool. Now I have both certificate and key. Can you tell me how I can import them into keystore and configure in tomcat? Thanks in advance.Chintan Patel
I found it from ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/… . I have created certificate and key file using openssl and combined them. It worked for me. Thanks.Chintan Patel

1 Answers

1
votes

The issue was due to missing parameter "keyAlias" in tomcat configuration.

However putting alias didnot solve my problem. It started throwing same error with the alias name instead of null :).

As per the comment of @dev_thompson_085, I came to know that I was missing the key file for this process. So I tried same with self-signed X.509 certificate as per the url: https://www.ibm.com/support/knowledgecenter/en/SSWHYP_4.0.0/com.ibm.apimgmt.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html

And it worked very well with both files.