RE: Alias name does not identify a key entry

[Cybulski, Adam M]

Ok, I worked it out. I had to extract all the intermediate certificates from 
the root/intermediate certificate, and import them separately. 

Thanks for all your help, I have it up and running now!

-----Original Message-----
From: Cybulski, Adam M <acybul...@albany.edu> 
Sent: Tuesday, June 26, 2018 2:25 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: Alias name does not identify a key entry

I got the same error, 

C:\Windows\system32>keytool -certreq -keyalg RSA -alias tomcat -file 
c:\tomcat8\ tomcatreq.csr -keystore c:\Tomcat8\meg.keystore Enter keystore 
password:

C:\Windows\system32>keytool -import -alias root -keystore 
c:\Tomcat8\meg.keystor e -trustcacerts -file 
"C:\Tomcat8\meg_library_albany_edu_interm.cer"
Enter keystore password:
Certificate already exists in system-wide CA keystore under alias <addtrustexter
nalca>
Do you still want to add it to your own keystore? [no]:  y Certificate was 
added to keystore

C:\Windows\system32>keytool -import -alias tomcat -keystore 
c:\Tomcat8\meg.keyst ore -file "C:\Tomcat8\meg_library_albany_edu_cert.cer"
Enter keystore password:
keytool error: java.lang.Exception: Failed to establish chain from reply




-----Original Message-----
From: Cybulski, Adam M <acybul...@albany.edu>
Sent: Tuesday, June 26, 2018 2:08 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: RE: Alias name does not identify a key entry

>Did you re-create your private key? I hope you kept a backup otherwise you 
>might have to get your CA >to re-sign the certificate from scratch.
>If they try to charge you again just say "my key has been compromised and I'd 
>like a replacement". They >should do it for free.

I did recreate it, I'll do a whole new request rather than an update request. 
We have an education license, so it's not coming out of my budget!

-----Original Message-----
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Tuesday, June 26, 2018 2:06 PM
To: users@tomcat.apache.org
Subject: Re: Alias name does not identify a key entry

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Adam,

On 6/26/18 1:32 PM, Cybulski, Adam M wrote:
> Hi Chris, Thanks for the help,
> 
>>> keytool -import -alias meg -keystore c:\Tomcat8\meg.keystore -file 
>>> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
>> That last step should have been to import using the same alias as the 
>> first step. That will update the self-signed >certificate with the 
>> CA-signed certificate.
> 
> I deleted the keystore and the certs and started over so there 
> wouldn't be any garbage data in it, I followed all the same steps as 
> before, but when I get to this one I used the command:
> 
> keytool -import -alias tomcat -keystore c:\Tomcat8\meg.keystore -file 
> "C:\Tomcat8\meg_library_albany_edu_cert.cer"
> 
> It returned the error: keytool error: java.lang.Exception: Failed to 
> establish chain from reply

Did you re-create your private key? I hope you kept a backup otherwise you 
might have to get your CA to re-sign the certificate from scratch.
If they try to charge you again just say "my key has been compromised and I'd 
like a replacement". They should do it for free.

>>> Any help you can give me in resolving this error is greatly 
>>> appreciated.
> 
>> You should switch from JKS/JCEKS to PKCS12 keystores, since those 
>> Java-specific ones are being deprecated and >(not quickly enough) 
>> dropped from Java.
> 
> Can you aim me at a guide to this? The steps I've been following are 
> just from whatever I've found online. Most of the articles seem pretty 
> dated.

No particular guide (other than the one Mark posted in reply). To use
PKCS12 files, just add "-storetype PKCS12" to every command you execute. 
Otherwise, the default is the JKS "Java KeyStore" keystore type .

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsygIUACgkQHPApP6U8
pFjTKg/+JnQsmqcgOCStpBbJSy3Uh4gYrFWCKWEu3EzJJ7cOxoFDY5SbCNV27D+8
3QgTwQF2wyJOF63fQqyRD8vJrUBavIeIDQyvXyQqOD3OPHR9SgESkTthUEbqjLjM
D83DtogUEvE4IPyeuguticYmETGaIrHvvU27jyYJcNNSjTYHS/iJQQifD/vbyaBS
TsTzDYtT2h4B+nd+oEPEBr2c0jeUwf1fCghp4fVGspFVccFze0LZpYrqoi4K/op1
xyoCnS5H9vDfSpC3DlJZVgEWWQ6vEgSSG8E66IdLxk591QkfK3DzuyRpqglyDVdE
i7fexaVYlQ5lvEQzYOOFktrfteCJDOBZTCXRxvGqfspwG0sjbejR/cSfL4/cD2Xx
1EEotZ8LrfxhoUKpm9hxdRMRaUHlaUrAHLyupacx/MKqVZA5SIlD7pLpA7+iSzfF
uI1eYWJWVjqLZEWVx2JWpKZNOPJ0R95hRRMLCOgG9n0JiFTAup4Mcrirt8GJgNyq
HHP5mUo3yMfqhy73tu0kaXTfkFyeCSdNtZhrq1Rat4MtlGaXpuvm8K/HLFXYndAr
nd0pBuVN0e5TesRk3/5pxiToYZcSoGeTW6sqMgnqj2tFCAvAWKtA4bVtb1lG7Wp2
mpYbkRLntVw05zN9ThLfNTJXVTx1f9LDT91/NSh61r4SbcN3v8A=
=WIvh
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

B KKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKCB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]
 \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]
 \X K ܙ B