6

I followed the following steps at http://www.globalsign.com/support/install/install_tomcat.php, using the following entry in server.xml:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
    keystoreFile="D:\Tomcat\ukdp.keystore" keystorePass="123456" keyAlias="ukdp"
           maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" />

But the following exception occurs during startup:

SEVERE: Error initializing endpoint
java.io.IOException: Alias name ukdp does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:412)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:378)
at 

org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
    at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
    at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:177)
    at org.apache.catalina.connector.Connector.initialize(Connector.java:1059)
    at org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
    at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:792)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:518)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Mar 14, 2011 4:14:56 PM org.apache.catalina.startup.Catalina load

When I remove the keyAlias entry as follows:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
keystoreFile="D:\Tomcat\ukdp.keystore" keystorePass="123456" 
       maxThreads="150" scheme="https" secure="true"
       clientAuth="false" sslProtocol="TLS" />

The following exception occurs during startup:

SEVERE: Socket accept failed
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
    at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
    at java.lang.Thread.run(Unknown Source)
Mar 14, 2011 4:20:31 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled.
    at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
    at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
    at java.lang.Thread.run(Unknown Source)
Mar 14, 2011 4:20:31 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run
SEVERE: Socket accept failed
Improve this question

2 Answers 2

Reset to default
16

List the entires in the keystore using

keytool -list -keystore D:\Tomcat\ukdp.keystore -storepass 123456

If the entry isn't there, you need to import it as a PrivateKeyEntry. If it's there, see that it's type is PrivateKeyEntry and not trustedCertEntry.

If the type is trustedCertEntry and you want to change it, the process I found is as follows:

#Convert to the key type to pkcs12
openssl pkcs12 -export -inkey myserverkey.key -in myserver.crt -out tempstore.p12


#Import to keystore:
keytool -importkeystore -srckeystore tempstore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

#List:
keytool -list -v -keystore keystore.jks
#Note the alias, usually gets "1", we need to change it

#Change alias:
keytool -changealias -alias 1 -destalias mywantedkeyalias -keystore keystore.jks

With the obvious changes of myserverkey.key, myserver.crt, keystore.jks and mywantedkeyalias

Improve this answer
3
  • Is this inconsistent with Bruno's above comment that "you can't translate the certificate into the private key"?
    – Matthew Cornell
    Commented Dec 18, 2012 at 20:10
  • 1
    @MatthewCornell You aren't just translating the certificate, if you can see the first line has two inputs, the certificate file (.crt) and the private key (.key) - they are being converted to the pkcs12 which can then be imported to the keystore as a PrivateKeyEntry (second line). Does that make sense to you?
    – Asaf
    Commented Dec 23, 2012 at 19:13
  • This is almost great but where does myserverkey.key come from? All i have is a keystore file
    – Edd
    Commented May 12, 2014 at 9:51
5

What's in your keystore for a start.

keytool -list -keystore D:\Tomcat\ukdp.keystore -storepass 123456

If there is really no "udkp" key here's your problem.

Improve this answer
6
  • Keystore type: JKS Keystore provider: SUN Your keystore contains 2 entries inter, Mar 14, 2011, trustedCertEntry, Certificate fingerprint (MD5): 72:82:67:20:5F:EC:F2:9F:4B:9A:3C:08:3D:E5:50:82 ukdp, Mar 14, 2011, trustedCertEntry, Certificate fingerprint (MD5): D5:E8:D3:6E:AB:20:E5:1B:BC:EF:D0:39:B5:AC:37:73
    – d-man
    Commented Mar 14, 2011 at 13:11
  • 1
    ukdp is there then why still creating problem
    – d-man
    Commented Mar 14, 2011 at 13:12
  • Hum I fail to see the issue then.
    – Bruno Rohée
    Commented Mar 14, 2011 at 13:30
  • 6
    It turns out that Tomcat requires an entry of PrivateKeyEntry, not trustedCertEntry. The latter you can generate using keytool -genkey. I don't know if you can translate from one to the other, but it's a start.
    – jevon
    Commented Jan 31, 2012 at 5:29
  • 1
    @jevon: of course, you need the private key to prove you are the holder of the certificate (it's not just Tomcat). No you can't "translate" the certificate into the private key from the certificate only: that's the whole point of asymmetric crypto. If you haven't generated with private key within the keystore in the first place, you can import a private key with a cert into a keystore, but you need to know where it was generated.
    – Bruno
    Commented Jan 31, 2012 at 11:11

Not the answer you're looking for? Browse other questions tagged or ask your own question.