A post that may help someone out if they get into the same situation I did with regards to importing SSL certificates into a java keystore for Tomcat.
When renewing my certificate, my CA had the ability to use my old CSR (certificate signing request) which I accepted as it saved me a few minutes. Before, I’d always started with an empty keystore, generated my private key, CSR, then imported my new certificate along with the any needed to complete the chain. It seemed easy, I just needed to import my new certificate into the old keystore, right?
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt Enter keystore password: keytool error: java.lang.Exception: Certificate not imported, alias
I see, I’ve already got a certificate under that alias, so I need to remove it first. Into the manual, -delete option looks good and away we go … I delete and then import 2 certificates that make up the chain and do the same with my newly issued certificate. Update my tomcat config to be greeted by the following:
LifecycleException: service.getName(): "Catalina"; Protocol handler start failed: java.io.IOException: Alias name tomcat does not identify a key entry
To cut a long story short, when you use the -delete option of keytool on an alias with a private key in it, it doesn’t just remove the certificate, it removes your private key as well. Adding in my new certificate is all well and good if I no longer have a private key associated with it! The correct thing to do is not use the -delete option at all, because keytool will not complain if you’re importing a new certificate like that over the top of an old one, e.g I already have a certificate in the alias ‘tomcat’ but …
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file mydomain.com.crt Enter keystore password: Certificate was added to keystore