In this case, I didn't remove every certificate, but I did remove the
certificate that was originally being referenced after adding a new
certificate under a new alias.

Original Keystore:
Alias A
Server.xml _default_ SSLHostConfig points to Alias A

After Modification:
Alias B
Server.xml _default_ SSLHostConfig points to Alias B

<Call reloadSslHostConfigs here>
<Receive error>

If that's not supported, I'll see if I can keep the aliases stable
somehow.  If there is a way to do it, I'd be interested in hearing what it
is.

On Thu, Sep 10, 2020 at 11:34 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Daniel,
>
> On 9/10/20 09:09, Daniel Skiles wrote:
> > Is it possible to change the keystore alias of the _default_
> > SSLHostConfig's certificate while tomcat is running?
> >
> > At present, I'm trying to move the _default_ certificate from one
> > certificate in my keystore, to another.  I modify the server.xml,
> > then I call the reloadSslHostConfigs MBean operation.  The
> > operation throws an error that boils down to a
> > jsse.alias_no_key_entry error that comes back from the JVM.
> >
> > Is this a technical limitation on SNI/SSLHostConfig, or am I
> > missing something here?
>
> Did you remove all server certificates from your keystore and then try
> to bounce the connector? That's not going to work because the
> connector requires a server key and certificate.
>
> Instead of "moving" the cert, consider copying the certificate instead.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl9aR2MACgkQHPApP6U8
> pFjomg/9FqiIt/N4Ap/2SfpupzkHdzUQGwTvCXEXDZl8Z+jMrr1TaMjUGgIjOgFk
> MUbNxrQRxfV0Mc1aipE0doU8/5Ps9rmluceC8SLkrmf7+ir9YnRXYYfYt1EV1Y+o
> Bcb1/ZoRXayImZntEH8+J/8qbg58wk/xlLalPsjDgJ3MOJrw/AD7A1caBUuLCnxc
> ZZWGCm6skRoCKZuVQWfEVU2c02gv2K2ga7TLQ68MJUv1/qH40escUIGgdTReYYIV
> vxZ/3L/Nab9055ZCDriSn3HPTt2CD/4na7fgYVjAP5TntX6nfIiXvAA0h/Tba6KY
> iYgPm0tv7M+nXqWDUSpi5IKQ3rSCpHgRhjq9wqii18SvKpYk0JbYxSMZIJtz9PVQ
> uBdYUFOZadchcp9KASDEd7WUeKnmxYsX4Qn7NVtVgrrwYewj33ETlUoB5zFzmYMI
> 8+K0g+b9/AhWtVLOMFcL+kCKWjwpANu9wvHWUnOS7urZVPQ7i/5yCt0N8fNsmCYj
> m5SPYXwExOzYBy4esH+3za9qSC//GxB+xW9lJHCZMaZmx4LClq2qC2EXXpSAm/WO
> Pz25gGaQog5dNvf0AN/y7u7od3QTQmNqOYS3S6cRPkadlRt25QocgQV4gVulRDY1
> kjnJ1Tf5p1v/Y/SqD6k2NOwXeiNUC/AOm/+8LLQgxAjn1zMVJUg=
> =MuZ9
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Reply via email to