I have a Debian virtual machine with Tomcat installed. I would like to install an SSL certificate so that my website is in Https.

I received the following certificate files with my VM:

my-domain.cer  my-domain.chain.crt.pem  my-domain.crt.pem
my-domain.csr  my-domain.key  my-domain.ch.p7c

I created a keystore with the following command :

keytool -import -trustcacerts -alias tomcat -keystore keystore.jks -file my-domain.cer

Then, I modified the file conf/server.xml file with the following code:

<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
        maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
        keyAlias="tomcat" keystoreFile="/usr/local/tomcat/ssl/keystore.jks" keystorePass="PASSWORD" keystoreType="JKS"
        port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
        sslEnabledProtocols="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>

Unfortunately, I get the following error when starting tomcat :

 org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:585)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:608)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1116)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
        ... 13 more
Caused by: java.io.IOException: jsse.alias_no_key_entry
        at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:330)
        at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:104)
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
        ... 20 more

I do not understand where it can come from. Because my alias is however the good one ...

Thank you in advance for your help

Just had this issue, only with .p7b. This error means your keystore doesn't contain the original private key.

Please make sure your private key (.csr) is in the same keystore with the .p7b chain.

I followed these steps:

1. Generated a key with a keystore:

keytool -genkey -alias [alias_name] -keyalg RSA -keystore [enter_keystore_name] -keysize 2048

This command creates not only a key entry, but also a private key in the keystore. That's why it's important to import the .p7b into the same keystore.

2. Generated a CSR from this entry:

keytool -certreq -keyalg RSA -keysize 2048 -alias [alias_name] -file [csr_file_name] -keystore [keystore_name] -ext san=dns:[FQDN_of_server]

3. Imported the received signed .p7b into the same keystore (I recommend you to download the .p7b into the same folder your .csr and keystore are in):

keytool -import -alias [alias_name] -trustcacerts -file [ssl_certificate.p7b] -keystore [keystore_name]

If everything's done right, your keystore will contain the generated private key and the received .p7b.

In my case, the cause of this issue was that the SSL key alias present in the application was not same as the alias passed while creating the certificate.

keytool -genkeypair -keyalg RSA -alias dummyApp -keystore dummy-app.p12 -storepass password -validity 3650 -keysize 2048 -dname "CN=dummy-app, OU=Enterprise, O=Test, L=Unknown, ST=Unknown, C=US" -storetype pkcs12

To fix, this I had to correct the value of the server.ssl.key-alias property. As per the above SSL generation example, its value should be dummyApp.

you need to import private key to keystore.

Step1: You need to download openSSL and then move to C:\OpenSSL-win64\bin Next, type this command:

openssl pkcs12 -export -in C:\Keystore\certificate.crt -inkey C:\Keystore\name_key.key -out C:\Keystore\server.p12 -name [name_alias] -CAfile C:\Keystore\rootCA.crt -caname root

Note: if you use alias "tomcat" in server.xml

keyAlias="tomcat"

keystoreFile="C:\Keystore\server.jks"

keystorePass="your pass"

then [name_alias] = tomcat

Step 2: use cmd and move to C:\program files\java\jdk..\ bin and type this command to convert p12 file to jks file:

keytool -importkeystore -deststorepass mypass -destkeystore C:\Keystore\server.jks -srckeystore C:\Keystore\server.p12 -srcstoretype PKCS12

Resart your tomcat server

I fixed my issue, Now I am really joyfull!

Execute the following command

#First step

jmendoza@jmendoza:~$ openssl genrsa -aes256 -out electoralsystem-cakey.pem 2048 -alias electoralsystem-cakey.pem

Enter pass phrase for electoralsystem.key: jmendoza

#Second step

jmendoza@jmendoza:~$ openssl req -new -x509 -sha256 -key electoralsystem-cakey.pem -days 365 -out electoralsystem-cacert.pem

jmendoza@jmendoza:~$ openssl x509 -in electoralsystem-cacert.pem -text

#Third step

jmendoza@jmendoza:~$ openssl pkcs12 -export -in electoralsystem-cacert.pem -inkey electoralsystem-cakey.pem -out electoralsystem-store.p12 -name "electoralsystem-store"

Enter Export Password: jmendoza

#Fourth step
jmendoza@jmendoza:~$ keytool -importkeystore -destkeystore electoralsystem-store.jks -deststorepass jmendoza -srckeystore electoralsystem-store.p12 -srcstoretype PKCS12 -srcstorepass jmendoza -alias electoralsystem-store

Configuration example with Springboot (application.properties)

server.port=8081
server.ssl.key-alias=electoralsystem-store
server.ssl.key-password=jmendoza
server.ssl.key-store=/home/jmendoza/IdeaProjects/dummy/config/electoralsystem-store.jks
server.ssl.key-store-provider=SUN

enter image description here