In this case, I didn't remove every certificate, but I did remove the certificate that was originally being referenced after adding a new certificate under a new alias.
Original Keystore: Alias A Server.xml _default_ SSLHostConfig points to Alias A After Modification: Alias B Server.xml _default_ SSLHostConfig points to Alias B <Call reloadSslHostConfigs here> <Receive error> If that's not supported, I'll see if I can keep the aliases stable somehow. If there is a way to do it, I'd be interested in hearing what it is. On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz < ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Daniel, > > On 9/10/20 09:09, Daniel Skiles wrote: > > Is it possible to change the keystore alias of the _default_ > > SSLHostConfig's certificate while tomcat is running? > > > > At present, I'm trying to move the _default_ certificate from one > > certificate in my keystore, to another. I modify the server.xml, > > then I call the reloadSslHostConfigs MBean operation. The > > operation throws an error that boils down to a > > jsse.alias_no_key_entry error that comes back from the JVM. > > > > Is this a technical limitation on SNI/SSLHostConfig, or am I > > missing something here? > > Did you remove all server certificates from your keystore and then try > to bounce the connector? That's not going to work because the > connector requires a server key and certificate. > > Instead of "moving" the cert, consider copying the certificate instead. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9aR2MACgkQHPApP6U8 > pFjomg/9FqiIt/N4Ap/2SfpupzkHdzUQGwTvCXEXDZl8Z+jMrr1TaMjUGgIjOgFk > MUbNxrQRxfV0Mc1aipE0doU8/5Ps9rmluceC8SLkrmf7+ir9YnRXYYfYt1EV1Y+o > Bcb1/ZoRXayImZntEH8+J/8qbg58wk/xlLalPsjDgJ3MOJrw/AD7A1caBUuLCnxc > ZZWGCm6skRoCKZuVQWfEVU2c02gv2K2ga7TLQ68MJUv1/qH40escUIGgdTReYYIV > vxZ/3L/Nab9055ZCDriSn3HPTt2CD/4na7fgYVjAP5TntX6nfIiXvAA0h/Tba6KY > iYgPm0tv7M+nXqWDUSpi5IKQ3rSCpHgRhjq9wqii18SvKpYk0JbYxSMZIJtz9PVQ > uBdYUFOZadchcp9KASDEd7WUeKnmxYsX4Qn7NVtVgrrwYewj33ETlUoB5zFzmYMI > 8+K0g+b9/AhWtVLOMFcL+kCKWjwpANu9wvHWUnOS7urZVPQ7i/5yCt0N8fNsmCYj > m5SPYXwExOzYBy4esH+3za9qSC//GxB+xW9lJHCZMaZmx4LClq2qC2EXXpSAm/WO > Pz25gGaQog5dNvf0AN/y7u7od3QTQmNqOYS3S6cRPkadlRt25QocgQV4gVulRDY1 > kjnJ1Tf5p1v/Y/SqD6k2NOwXeiNUC/AOm/+8LLQgxAjn1zMVJUg= > =MuZ9 > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >