When you are setting up SSL and this message appears in the log (where xxx is the alias you have setup):
Alias name [xxxx] does not identify a key entry
Example of log:
Caused by: java.lang.IllegalArgumentException: Alias name [cast] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) ~[tomcat-embed-core-9.0.63.jar!/:na]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.63.jar!/:na]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234) ~[tomcat-embed-core-9.0.63.jar!/:na]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.63.jar!/:na]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1313) ~[tomcat-embed-core-9.0.63.jar!/:na]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:614) ~[tomcat-embed-core-9.0.63.jar!/:na]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1072) ~[tomcat-embed-core-9.0.63.jar!/:na]
Then please follow the below solution.
Release | Yes/No |
---|---|
8.3.x |
RDBMS | Yes/No |
---|---|
CSS |
- Encountered error in logs
The issue normally occurs because the key stored in the Java keystore is a certificate only entry and the configuration requires the entry to be a certificate/key pair in the Java keystore.
This can happen if you were provided a key and certificate separately (*.pem and *.crt file normally).
The best solution is to go back to the person who provided this and get a *.pk7 format file and passphrase which would have both the key and certificate in the file, and then import this into the keystore.
Otherwise you need to somehow gain access to the openssl tool and do something like the following (see Secure Socket Layer (SSL) Tools for information on keytool and openssl):
- Convert the key and certificate to a *.p12 type using the openssl tool:
- openssl pkcs12 -export -name cast -in in/file.cer -inkey in/key.pem -out out/keystore.p12
- Then run this keytool command (the source keystore password is the password you give above, the destination is the one for cacerts):
- keytool -importkeystore -destkeystore "C:\Program Files\Java\jdk-11.0.16\lib\security\cacerts" -srckeystore "C:\temp\keystore.p12" -srcstoretype pkcs12 -alias cast
- You may get a warning about migrating from a jks keystore to a pkcs12 keystore.
- Then when you list entries in the keystore, you should see one which has both the key and certificate:
If the above steps do not solve your issue contact CAST Technical Support. with the following Relevant input
Relevant input
- CAST Log file
- A detailed list of the steps done
- Screenshots from part of AIP showing the issue
Ticket # 38360