For completeness, I must admit that I was unable to use PKCS12 files. I had to use JKS format.
I copied and transformed my cacerts files as per keytool recommendation: keytool -importkeystore -srckeystore /usr/lib/jvm/java-15-oracle/lib/security/cacerts -destkeystore /tmp/key/cacerts.pkcs12 -deststoretype pkcs12 Then add tomcat's localhost key keytool -importkeystore -srckeystore localhost-rsa-key.pem -srcstoretype pkcs12 -destkeystore /tmp/key/cacerts.pkcs12 -deststoretype pkcs12 -srcalias tomcat -destalias tomcat keytool error: java.io.IOException: toDerInputStream rejects tag type 45 Try to get the alias from the .pems keytool -list -keystore localhost-rsa-cert.pem -storetype pkcs12 keytool error: java.io.IOException: toDerInputStream rejects tag type 67 keytool -list -keystore localhost-rsa-key.pem -storetype pkcs12 keytool error: java.io.IOException: toDerInputStream rejects tag type 45 I'm certainly doing something wrong, but I'm sticking with JKS for now.
