I am installing a SSL cert in my Tomcat server, but it fails to find the key entry in my keystore file.
If I don't specify keyAlias="mykey"
it shows me the following error message:
javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
As I saw on Tomcat Documentation http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Troubleshooting it tells me to specify the keyAlias
.
However, when I do it, I get the following error message:
java.io.IOException: Alias name mykey does not identify a key entry
And if I keytool -list -keystore .keystore -v
, I get three key entries, two from the cert company and the last one:
Alias name: mykey
Creation date: Dec 17, 2011
Entry type: trustedCertEntry
That is, the key entry is there, but Tomcat can't find it. The keystoreFile
is corrected set to the keystore file.
What can it be?
For anyone else who stumbles upon this: The key (pun not intended) is to import your certificate using the same alias as the one you used to originally create they keystore (along with its private key) when you ran 'keytool -genkey-alias myalias ...' -- this is how Tomcat ties the private key with your new certificate when it is imported.
Basically, like other commenters said, in the end your own cert should NOT show as a "trustedCertEntry" in a 'keytool -list' -- it needs to be a "PrivateKeyEntry", see below example:
You can find out the original alias by running 'keytool -list', and looking for the PrivateKeyEntry entry. If all goes well when you import your new CA-provided cert (i.e., you use the same alias and your keys match), the new cert will be automagically absorbed into the PrivateKeyEntry. This is the alias you'll need to refer to in Tomcat's server.xml file.