Alias name does not identify a key entry

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

Alias name does not identify a key entry

Cybulski, Adam M

Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm unable to start the SSL connector.

My connector syntax is as follows:

  <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
                           
                           <Connector port="8443"
                           protocol="HTTP/1.1"
                           maxThreads="150"
                           scheme="https"
                           secure="true"
                           SSLEnabled="true"
                           keystoreFile="c:\tomcat8\meg.keystore"
                           keystorePass="keystorepass"
                           keyAlias="meg" />

To which I receive this error in Catalina.log:

SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
 java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does not identify a key entry

However, meg is in my keystore:



Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Jun 25, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:
68:85:18:68
meg, Jun 25, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B:
6F:24:D1:59
tomcat, Jun 25, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70:
84:C8:16:82

I used these steps to manage the certs:

keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore

keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore

Sent CSR to InCommon CA, downloaded x509 certificate, and x509 intermedites/root certificates.

keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"

keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"

Any help you can give me in resolving this error is greatly appreciated.

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Alias name does not identify a key entry

Jose María Zaragoza
El mar., 26 jun. 2018 a las 17:03, Cybulski, Adam M
(<[hidden email]>) escribió:

>
>
> Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm unable to start the SSL connector.
>
> My connector syntax is as follows:
>
>   <Connector port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="8443" />
>
>                            <Connector port="8443"
>                            protocol="HTTP/1.1"
>                            maxThreads="150"
>                            scheme="https"
>                            secure="true"
>                            SSLEnabled="true"
>                            keystoreFile="c:\tomcat8\meg.keystore"
>                            keystorePass="keystorepass"
>                            keyAlias="meg" />
>
> To which I receive this error in Catalina.log:
>
> SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
>  java.lang.IllegalArgumentException: java.io.IOException: Alias name meg does not identify a key entry
>
> However, meg is in my keystore:
>
>
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 3 entries
>
> root, Jun 25, 2018, trustedCertEntry,
> Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:
> 68:85:18:68
> meg, Jun 25, 2018, trustedCertEntry,
> Certificate fingerprint (SHA1): 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B:
> 6F:24:D1:59
> tomcat, Jun 25, 2018, PrivateKeyEntry,
> Certificate fingerprint (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70:
> 84:C8:16:82
>
> I used these steps to manage the certs:
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore c:\Tomcat8\meg.keystore
>
> keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
>
> Sent CSR to InCommon CA, downloaded x509 certificate, and x509 intermedites/root certificates.
>
> keytool -import -alias root -keystore c:\Tomcat8\meg.keystore -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
>
> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>
> Any help you can give me in resolving this error is greatly appreciated.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

Hi

I guess that meg entry should be a PrivateKeyEntry ( public
certificate + private key ) , not a trustedCertEntry
I think that meg_library_albany_edu_cert.cer only contains a public certificate

Honestly, I use openssl to create .p12 key stores
Something like

openssl pkcs12 -export -in MYCERT.crt -inkey MYKEY.key -out
KEYSTORE.p12 -name "meg" -CAfile MY-CA-CERT.crt -caname myCA -chain

Regards

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Alias name does not identify a key entry

Christopher Schultz-2
In reply to this post by Cybulski, Adam M
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 11:03 AM, Cybulski, Adam M wrote:

>
> Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm
> unable to start the SSL connector.
>
> My connector syntax is as follows:
>
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000" redirectPort="8443" />  <Connector
> port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
> secure="true" SSLEnabled="true"
> keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass"
>  keyAlias="meg" />
>
> To which I receive this error in Catalina.log:
>
> SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to
> initialize end point associated with ProtocolHandler
> ["https-openssl-nio-8443"] java.lang.IllegalArgumentException:
> java.io.IOException: Alias name meg does not identify a key entry
>
> However, meg is in my keystore:
>
>
>
> Keystore type: JKS Keystore provider: SUN
>
> Your keystore contains 3 entries
>
> root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint
> (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:
> 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate
> fingerprint (SHA1):
> 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59

The error message is correct: your alias identifies a "trusted
certificate", not a private key. So use the "private key" alias instead:

> tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint
> (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70:
> 84:C8:16:82

^^^ This one.

> I used these steps to manage the certs:
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore
> c:\Tomcat8\meg.keystore
>
> keytool -certreq -keyalg RSA -alias tomcat -file
> c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
>
> Sent CSR to InCommon CA, downloaded x509 certificate, and x509
> intermedites/root certificates.
>
> keytool -import -alias root -keystore c:\Tomcat8\meg.keystore
> -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
>
> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the
first step. That will update the self-signed certificate with the
CA-signed certificate.

> Any help you can give me in resolving this error is greatly
> appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those
Java-specific ones are being deprecated and (not quickly enough)
dropped from Java.

Hope that helps.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8
pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I
OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv
ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P
DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY
I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz
uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4
v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL
5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60
fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0
jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3
fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg=
=q1tu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Alias name does not identify a key entry

Cybulski, Adam M
Hi Chris, Thanks for the help,

>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>That last step should have been to import using the same alias as the first step. That will update the self-signed >certificate with the CA-signed certificate.

I deleted the keystore and the certs and started over so there wouldn't be any garbage data in it, I followed all the same steps as before, but when I get to this one I used the command:

keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"

It returned the error: keytool error: java.lang.Exception: Failed to establish chain from reply

>> Any help you can give me in resolving this error is greatly
>> appreciated.

>You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and >(not quickly enough) dropped from Java.

Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated.

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Tuesday, June 26, 2018 12:14 PM
To: [hidden email]
Subject: Re: Alias name does not identify a key entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 11:03 AM, Cybulski, Adam M wrote:

>
> Hello, I'm using Tomcat 8.5.4, on a server 2008R2 machine,  and I'm
> unable to start the SSL connector.
>
> My connector syntax is as follows:
>
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000" redirectPort="8443" />  <Connector
> port="8443" protocol="HTTP/1.1" maxThreads="150" scheme="https"
> secure="true" SSLEnabled="true"
> keystoreFile="c:\tomcat8\meg.keystore" keystorePass="keystorepass"
>  keyAlias="meg" />
>
> To which I receive this error in Catalina.log:
>
> SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to
> initialize end point associated with ProtocolHandler
> ["https-openssl-nio-8443"] java.lang.IllegalArgumentException:
> java.io.IOException: Alias name meg does not identify a key entry
>
> However, meg is in my keystore:
>
>
>
> Keystore type: JKS Keystore provider: SUN
>
> Your keystore contains 3 entries
>
> root, Jun 25, 2018, trustedCertEntry, Certificate fingerprint
> (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:
> 68:85:18:68 meg, Jun 25, 2018, trustedCertEntry, Certificate
> fingerprint (SHA1):
> 72:66:E4:05:94:C4:5B:4A:8A:26:20:F1:C5:7D:73:3B: 6F:24:D1:59

The error message is correct: your alias identifies a "trusted certificate", not a private key. So use the "private key" alias instead:

> tomcat, Jun 25, 2018, PrivateKeyEntry, Certificate fingerprint
> (SHA1): AC:D9:3B:37:E4:37:A3:E7:D2:27:D1:CF:88:D3:79:70:
> 84:C8:16:82

^^^ This one.

> I used these steps to manage the certs:
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore
> c:\Tomcat8\meg.keystore
>
> keytool -certreq -keyalg RSA -alias tomcat -file
> c:\tomcat8\tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
>
> Sent CSR to InCommon CA, downloaded x509 certificate, and x509
> intermedites/root certificates.
>
> keytool -import -alias root -keystore c:\Tomcat8\meg.keystore
> -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
>
> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"

That last step should have been to import using the same alias as the first step. That will update the self-signed certificate with the CA-signed certificate.

> Any help you can give me in resolving this error is greatly
> appreciated.

You should switch from JKS/JCEKS to PKCS12 keystores, since those Java-specific ones are being deprecated and (not quickly enough) dropped from Java.

Hope that helps.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsyZlUACgkQHPApP6U8
pFjiZw/8DNy8rCDQoHKObIUnulVvOQt8IdiAwur59AKZ68Y7m3l0xLOFceZ5w67I
OdAWEwQtizmqGnvZ7E0jVl4UGDPUj4UXS+9WOFH3tM4W9Fu9Xjjn2qWTiczaGmFv
ndzKoWbMsE6ZEwMEpo6XQmRkKjKYznGZlecrfO7oir8CNp2+ocLk+iQ404tZwL/P
DLdXHsiZ5qMhJ4FWfiYk7YVihNBiZJz34+uKQXygcafHKr4qUxo5KB8gKK9TSuxY
I7SN9HnmLFfQhhItbOr1X/sL6EZTJRst/gPEGLw0xtRsAQDOMfMCzQxBK8qQu3Mz
uNpqtw1pVaaIZ6bnxeCbqzi5RGpV3UYMFX1P8p0/SXIc/aEYyomlJl2P1eeLOfY4
v7DufmivvxpprSf5Wy8bU2ShrbpaOrlK9riIy50tznoDzsB4nY0LLkByGUhYqHYL
5xUX4PHTDbubLKdGqNU+18EJdopMVatYnYirU0y0FWDJWMeiAJWyBKnuzPA98P60
fafba7J2VWz4u74ztTfxtcIKR2t9teMQn0fcJxrcbwaBEXl+kM8k1nzFx+LYndY0
jQAmmzL1nI/ECZfHdRdO37hJxGAnMAau4gSdTsL/E293Dreew2vJe3zo18G9p5v3
fIvyCco+V9SccbPxn+fI6ZHck8/wwTcwK/ThgoBv3abyCZvLHEg=
=q1tu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alias name does not identify a key entry

markt
On 26/06/18 18:32, Cybulski, Adam M wrote:

> Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated.

http://tomcat.apache.org/presentations.html

Look for the TLS generation presentation from the 2016 webinar series.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Alias name does not identify a key entry

Christopher Schultz-2
In reply to this post by Cybulski, Adam M
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:

> Hi Chris, Thanks for the help,
>
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore
>>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as
>> the first step. That will update the self-signed >certificate
>> with the CA-signed certificate.
>
> I deleted the keystore and the certs and started over so there
> wouldn't be any garbage data in it, I followed all the same steps
> as before, but when I get to this one I used the command:
>
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore
> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>
> It returned the error: keytool error: java.lang.Exception: Failed
> to establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise
you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised
and I'd like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly
>>> appreciated.
>
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those
>> Java-specific ones are being deprecated and >(not quickly enough)
>> dropped from Java.
>
> Can you aim me at a guide to this? The steps I've been following
> are just from whatever I've found online. Most of the articles seem
> pretty dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you
execute. Otherwise, the default is the JKS "Java KeyStore" keystore type
.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: Alias name does not identify a key entry

Cybulski, Adam M
>Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA >to re-sign the certificate from scratch.
>If they try to charge you again just say "my key has been compromised and I'd like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget!

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Tuesday, June 26, 2018 2:06 PM
To: [hidden email]
Subject: Re: Alias name does not identify a key entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:

> Hi Chris, Thanks for the help,
>
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
>>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as the
>> first step. That will update the self-signed >certificate with the
>> CA-signed certificate.
>
> I deleted the keystore and the certs and started over so there
> wouldn't be any garbage data in it, I followed all the same steps as
> before, but when I get to this one I used the command:
>
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>
> It returned the error: keytool error: java.lang.Exception: Failed to
> establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly
>>> appreciated.
>
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those
>> Java-specific ones are being deprecated and >(not quickly enough)
>> dropped from Java.
>
> Can you aim me at a guide to this? The steps I've been following are
> just from whatever I've found online. Most of the articles seem pretty
> dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Alias name does not identify a key entry

Cybulski, Adam M
I got the same error,

C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\
tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
Enter keystore password:

C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor
e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <addtrustexter
nalca>
Do you still want to add it to your own keystore? [no]:  y
Certificate was added to keystore

C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst
ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply




-----Original Message-----
From: Cybulski, Adam M <[hidden email]>
Sent: Tuesday, June 26, 2018 2:08 PM
To: Tomcat Users List <[hidden email]>
Subject: RE: Alias name does not identify a key entry

>Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA >to re-sign the certificate from scratch.
>If they try to charge you again just say "my key has been compromised and I'd like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget!

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Tuesday, June 26, 2018 2:06 PM
To: [hidden email]
Subject: Re: Alias name does not identify a key entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:

> Hi Chris, Thanks for the help,
>
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
>>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as the
>> first step. That will update the self-signed >certificate with the
>> CA-signed certificate.
>
> I deleted the keystore and the certs and started over so there
> wouldn't be any garbage data in it, I followed all the same steps as
> before, but when I get to this one I used the command:
>
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>
> It returned the error: keytool error: java.lang.Exception: Failed to
> establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly
>>> appreciated.
>
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those
>> Java-specific ones are being deprecated and >(not quickly enough)
>> dropped from Java.
>
> Can you aim me at a guide to this? The steps I've been following are
> just from whatever I've found online. Most of the articles seem pretty
> dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Alias name does not identify a key entry

Cybulski, Adam M
Ok, I worked it out. I had to extract all the intermediate certificates from the root/intermediate certificate, and import them separately.

Thanks for all your help, I have it up and running now!

-----Original Message-----
From: Cybulski, Adam M <[hidden email]>
Sent: Tuesday, June 26, 2018 2:25 PM
To: Tomcat Users List <[hidden email]>
Subject: RE: Alias name does not identify a key entry

I got the same error,

C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore password:

C:\Windows\system32>keytool -import -alias root -keystore c:\Tomcat8\meg.keystor e -trustcacerts -file "C:\Tomcat8\meg_library_albany_edu_interm.cer"
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <addtrustexter
nalca>
Do you still want to add it to your own keystore? [no]:  y Certificate was added to keystore

C:\Windows\system32>keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply




-----Original Message-----
From: Cybulski, Adam M <[hidden email]>
Sent: Tuesday, June 26, 2018 2:08 PM
To: Tomcat Users List <[hidden email]>
Subject: RE: Alias name does not identify a key entry

>Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA >to re-sign the certificate from scratch.
>If they try to charge you again just say "my key has been compromised and I'd like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. We have an education license, so it's not coming out of my budget!

-----Original Message-----
From: Christopher Schultz <[hidden email]>
Sent: Tuesday, June 26, 2018 2:06 PM
To: [hidden email]
Subject: Re: Alias name does not identify a key entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:

> Hi Chris, Thanks for the help,
>
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file
>>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as the
>> first step. That will update the self-signed >certificate with the
>> CA-signed certificate.
>
> I deleted the keystore and the certs and started over so there
> wouldn't be any garbage data in it, I followed all the same steps as
> before, but when I get to this one I used the command:
>
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>
> It returned the error: keytool error: java.lang.Exception: Failed to
> establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly
>>> appreciated.
>
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those
>> Java-specific ones are being deprecated and >(not quickly enough)
>> dropped from Java.
>
> Can you aim me at a guide to this? The steps I've been following are
> just from whatever I've found online. Most of the articles seem pretty
> dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Alias name does not identify a key entry

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 2:36 PM, Cybulski, Adam M wrote:
> Ok, I worked it out. I had to extract all the intermediate
> certificates from the root/intermediate certificate, and import
> them separately.

Yes, yet another thing that keytool isn't good at is importing
multiple certificates at once. It appears to work (i.e. doesn't
complain when importing a file containing multiple certificates) but
only imports the first one.

The great thing about using PKCS12 files is that you can abandon
keytool altogether except for testing (to see if Java can read the
file properly). OpenSSL's PKCs12 tools are more flexible than Java's
keytool.

- -chris

> Thanks for all your help, I have it up and running now!
>
> -----Original Message----- From: Cybulski, Adam M
> <[hidden email]> Sent: Tuesday, June 26, 2018 2:25 PM To:
> Tomcat Users List <[hidden email]> Subject: RE: Alias name
> does not identify a key entry
>
> I got the same error,
>
> C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat
> -file c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore
> Enter keystore password:
>
> C:\Windows\system32>keytool -import -alias root -keystore
> c:\Tomcat8\meg.keystor e -trustcacerts -file
> "C:\Tomcat8\meg_library_albany_edu_interm.cer" Enter keystore
> password: Certificate already exists in system-wide CA keystore
> under alias <addtrustexter nalca> Do you still want to add it to
> your own keystore? [no]:  y Certificate was added to keystore
>
> C:\Windows\system32>keytool -import -alias tomcat -keystore
> c:\Tomcat8\meg.keyst ore -file
> "C:\Tomcat8\meg_library_albany_edu_cert.cer" Enter keystore
> password: keytool error: java.lang.Exception: Failed to establish
> chain from reply
>
>
>
>
> -----Original Message----- From: Cybulski, Adam M
> <[hidden email]> Sent: Tuesday, June 26, 2018 2:08 PM To:
> Tomcat Users List <[hidden email]> Subject: RE: Alias name
> does not identify a key entry
>
>> Did you re-create your private key? I hope you kept a backup
>> otherwise you might have to get your CA >to re-sign the
>> certificate from scratch. If they try to charge you again just
>> say "my key has been compromised and I'd like a replacement".
>> They >should do it for free.
>
> I did recreate it, I'll do a whole new request rather than an
> update request. We have an education license, so it's not coming
> out of my budget!
>
> -----Original Message----- From: Christopher Schultz
> <[hidden email]> Sent: Tuesday, June 26, 2018 2:06
> PM To: [hidden email] Subject: Re: Alias name does not
> identify a key entry
>
> Adam,
>
> On 6/26/18 1:32 PM, Cybulski, Adam M wrote:
>> Hi Chris, Thanks for the help,
>
>>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore
>>>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>>> That last step should have been to import using the same alias
>>> as the first step. That will update the self-signed
>>> >certificate with the CA-signed certificate.
>
>> I deleted the keystore and the certs and started over so there
>> wouldn't be any garbage data in it, I followed all the same steps
>> as before, but when I get to this one I used the command:
>
>> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore
>> -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>
>> It returned the error: keytool error: java.lang.Exception: Failed
>> to establish chain from reply
>
> Did you re-create your private key? I hope you kept a backup
> otherwise you might have to get your CA to re-sign the certificate
> from scratch. If they try to charge you again just say "my key has
> been compromised and I'd like a replacement". They should do it for
> free.
>
>>>> Any help you can give me in resolving this error is greatly
>>>> appreciated.
>
>>> You should switch from JKS/JCEKS to PKCS12 keystores, since
>>> those Java-specific ones are being deprecated and >(not quickly
>>> enough) dropped from Java.
>
>> Can you aim me at a guide to this? The steps I've been following
>> are just from whatever I've found online. Most of the articles
>> seem pretty dated.
>
> No particular guide (other than the one Mark posted in reply). To
> use PKCS12 files, just add "-storetype PKCS12" to every command you
> execute. Otherwise, the default is the JKS "Java KeyStore" keystore
> type .
>
> -chris
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]

> For additional commands, e-mail: [hidden email]
>
> B
> KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB
>  [  X  ܚX KK[XZ[ \ \  ][  X  ܚX P X ] \X K ܙ B
> ܈Y][ۘ[  [X[  K[XZ[ \ \  Z[ X ] \X K ܙ B
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlszjswACgkQHPApP6U8
pFi4pBAAnTSKdGlAME6hjRwfOdFctmjvXKY3+bsdpemgbxEwnm6Q2ZiwWY+cya2p
NfvqsolHmlpe0ZQR3pKAj206S3ddUUkm6v7ZNRvdgW0AguXr5SEQrdnpG/2NK79/
Kk1dwgPopR2QxyL3h3XmUunLfM9F5F/znztUL7LJacIy+JrtrC3wmncuoBz/RZrB
RVP3HaFh5QPYXePYCqJewd1AlIR4HaR8rzdVtkRvRAe5Ze5QW7mTm3ruV+fryyl7
X0HrDsnR3tF02yU9q/tS0WP1OM3KMbVIRcEFHm0m7Fbtx+tEsuO8DrIZa7nNBDB7
p4M/3r4HG2r/RSYj7UEMCXxuxGN5ykm0UaxwrsJsqmagYxFp1dgt3hyF5wB4wHGP
mJdXnkWb4G3ovr0B3gWX06vxeVLTal9IOco/vSUL/Gd30wJTsIlIDFIhzTYbWhXg
hQ9BzlsgG0eyi13RJfGEuy7CKWDuzpty1aaFQ3NQ3OY1V0HN3mNB2LYH+gHozMi3
Zay2if7U7sNJLKurZ3mgxhqIWgGp0oIH4yu4d41u15SK1+nt9Ua4xlqRPUTMyOgZ
cBKjSdF0dyc/GeICLX0pGKK/dV5QFqN5gbUNughfB9WtLGzqeL3Kz3EK45WbM03Y
x8QAv+tTzxFb43uGpQD3oLXSFiMHI4+3sTa187EiGUUN6NhUwno=
=iYNL
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Alias name does not identify a key entry

Shawn Heisey
In reply to this post by markt
On 6/26/2018 11:42 AM, Mark Thomas wrote:
> On 26/06/18 18:32, Cybulski, Adam M wrote:
>> Can you aim me at a guide to this? The steps I've been following are just from whatever I've found online. Most of the articles seem pretty dated.
> http://tomcat.apache.org/presentations.html
>
> Look for the TLS generation presentation from the 2016 webinar series.

I don't see anything in that presentation about pkcs12.  I see PEM for
the APR connector and JKS for the java connectors.

Can Java programs like Tomcat use pkcs12 stores created by other tools? 
I know how to use openssl to create a pkcs12 file for software on
Windows (typically for IIS, which is used by Exchange).  I use a command
like this:

openssl pkcs12 -export -in www.example.com.pem -inkey www.example.com.key \
  -out examplecert.p12 -CAfile intermediate.pem

Thanks,
Shawn


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Alias name does not identify a key entry

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Shawn,

On 6/27/18 1:27 PM, Shawn Heisey wrote:

> On 6/26/2018 11:42 AM, Mark Thomas wrote:
>> On 26/06/18 18:32, Cybulski, Adam M wrote:
>>> Can you aim me at a guide to this? The steps I've been
>>> following are just from whatever I've found online. Most of the
>>> articles seem pretty dated.
>> http://tomcat.apache.org/presentations.html
>>
>> Look for the TLS generation presentation from the 2016 webinar
>> series.
>
> I don't see anything in that presentation about pkcs12.  I see PEM
> for the APR connector and JKS for the java connectors.
>
> Can Java programs like Tomcat use pkcs12 stores created by other
> tools? I know how to use openssl to create a pkcs12 file for
> software on Windows (typically for IIS, which is used by Exchange).
> I use a command like this:
>
> openssl pkcs12 -export -in www.example.com.pem -inkey
> www.example.com.key \ -out examplecert.p12 -CAfile
> intermediate.pem

Tomcat doesn't do anything special with a keystore that any other
Java-based software might do. Theoretically, all keystore types
supported by Java are equivalent. All Tomcat does is call
KeyStore.getInstance(keystoreType) or whatever. The keystore type is
passed directly into the Java API.

I have recently been switching from JKS keystores to PKCS12 and I
haven't had any problems using openssl's pkcs12 command to manipulate
anything.

That being said, Java sometimes complains about things that really
shouldn't be a problem, such as having a keystore entry without an
alias (which is legal, and I believe openssl will let you do it). So
YMMV but you should be able to "correct" any of those issues with
another tool (e.g. openssl's pkcs12) and get it to work.

But Tomcat doesn't care.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsz8k0ACgkQHPApP6U8
pFgLIxAAgYJQ4wxTLBv/hoA9iV0BmQ5cRaHOZtwRibfqQegGmkb5Gx8nNwC8wlAQ
Q5zDSLN4cZUWKl3CFZAzO1LaIPGku+cU850eVoC6EQAvIPl1yfCfcKU50pYe2pya
gEquS/QRF+23DV5uggv/3X1tUJAnMF2Xc/QNgRA0d8ovD8dVrYMhRu2S4Ze7ofVA
uqQHHQHXejpkzAJeNt5he1zq1NhZseJqL2t/QBy/KMWG4cUPk+e7BVx3LkrmJQyW
t5hjRa2JmIof3/B7pIEdrbPY9gOh9G1+FYkI/L3V4QTjjThnQEOHA/LhgUOBsXCd
zfpgPIg5vfR08D0r5gc4AsLQbRKoTIEz+DflAiclvXHt4hYA39S9TtU5kxEOv0O/
LsIB3Iyau0BlKHbSQZXXFt2lKaZ7Pkz8rWTON/K9opWWs/hqEgKNs2GOCT7c2NVz
LkK76km2gdHBRjjnT0a5QICAHLMiLYB8j7XhmmYyK7+rMm2eyttE1OujZ4Zr8bia
r3X29NhU8jMSp6Q1l9IfFtc7jLDhqs+NNFQMqa7DnKSdS/ekuuSh//xYseagz0ZY
uHk8vlMjoGTRiRUIrtR43uHRpv8wPfyB+D2/6ckCDW7sNwgVFLbA3V97EjOwDw8m
0GNLYgwdo/83OG33i1M7qXeieTLDjVt1jki2M2Vc7kcn0eekKtY=
=CY6R
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]