Tomcat SSL Certificate – Alias tomcat name does not identify a key entry

A post that may help someone out if they get into the same situation I did with regards to importing SSL certificates into a java keystore for Tomcat.

When renewing my certificate, my CA had the ability to use my old CSR (certificate signing request) which I accepted as it saved me a few minutes. Before, I’d always started with an empty keystore, generated my private key, CSR, then imported my new certificate along with the any needed to complete the chain. It seemed easy, I just needed to import my new certificate into the old keystore, right?

keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt
Enter keystore password:  
keytool error: java.lang.Exception: Certificate not imported, alias  already exists

I see, I’ve already got a certificate under that alias, so I need to remove it first. Into the manual, -delete option looks good and away we go … I delete and then import 2 certificates that make up the chain and do the same with my newly issued certificate. Update my tomcat config to be greeted by the following:

LifecycleException:  service.getName(): "Catalina";  Protocol handler start failed: java.io.IOException: Alias name tomcat does not identify a key entry

To cut a long story short, when you use the -delete option of keytool on an alias with a private key in it, it doesn’t just remove the certificate, it removes your private key as well. Adding in my new certificate is all well and good if I no longer have a private key associated with it! The correct thing to do is not use the -delete option at all, because keytool will not complain if you’re importing a new certificate like that over the top of an old one, e.g I already have a certificate in the alias ‘tomcat’ but …

keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file mydomain.com.crt
Enter keystore password:  
Certificate was added to keystore

3 thoughts on “Tomcat SSL Certificate – Alias tomcat name does not identify a key entry

    • You can generate a new private key, but it won’t match the one used to generate the certificate signing request (CSR). You can either;

      – dive into the backup tapes
      or
      – generate a new private key, a new CSR and ask your certificate authority to create you a new certificate based on the new CSR.

  1. Thanks for pointing out the pitfall of using the “-delete” option. BTW – the certificate authority typically is able to reissue a certificate given a new CSR (for the same domain). So the option of going back and starting from the very beginning is probably the least painful one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Security Question * Time limit is exhausted. Please reload the CAPTCHA.