How to resolve : java.io.IOException: jsse.alias_no_key_entry

Question

I have a Debian virtual machine with Tomcat installed. I would like to install an SSL certificate so that my website is in Https.

I received the following certificat

Answer 1

In my case, the cause of this issue was that the SSL key alias present in the application was not same as the alias passed while creating the certificate.

keytool -genkeypair -keyalg RSA -alias dummyApp -keystore dummy-app.p12 -storepass password -validity 3650 -keysize 2048 -dname "CN=dummy-app, OU=Enterprise, O=Test, L=Unknown, ST=Unknown, C=US" -storetype pkcs12

To fix, this I had to correct the value of the server.ssl.key-alias property. As per the above SSL generation example, its value should be dummyApp.

Answer 2

Execute the following command

#First step

jmendoza@jmendoza:~$ openssl genrsa -aes256 -out electoralsystem-cakey.pem 2048 -alias electoralsystem-cakey.pem

Enter pass phrase for electoralsystem.key: jmendoza

#Second step

jmendoza@jmendoza:~$ openssl req -new -x509 -sha256 -key electoralsystem-cakey.pem -days 365 -out electoralsystem-cacert.pem

jmendoza@jmendoza:~$ openssl x509 -in electoralsystem-cacert.pem -text

#Third step

jmendoza@jmendoza:~$ openssl pkcs12 -export -in electoralsystem-cacert.pem -inkey electoralsystem-cakey.pem -out electoralsystem-store.p12 -name "electoralsystem-store"

Enter Export Password: jmendoza

#Fourth step
jmendoza@jmendoza:~$ keytool -importkeystore -destkeystore electoralsystem-store.jks -deststorepass jmendoza -srckeystore electoralsystem-store.p12 -srcstoretype PKCS12 -srcstorepass jmendoza -alias electoralsystem-store

Configuration example with Springboot (application.properties)

server.port=8081
server.ssl.key-alias=electoralsystem-store
server.ssl.key-password=jmendoza
server.ssl.key-store=/home/jmendoza/IdeaProjects/dummy/config/electoralsystem-store.jks
server.ssl.key-store-provider=SUN

enter image description here

Answer 3

you need to import private key to keystore.

Step1: You need to download openSSL and then move to C:\OpenSSL-win64\bin Next, type this command:

openssl pkcs12 -export -in C:\Keystore\certificate.crt -inkey C:\Keystore\name_key.key -out C:\Keystore\server.p12 -name [name_alias] -CAfile C:\Keystore\rootCA.crt -caname root

Note: if you use alias "tomcat" in server.xml

keyAlias="tomcat"

keystoreFile="C:\Keystore\server.jks"

keystorePass="your pass"

then [name_alias] = tomcat

Step 2: use cmd and move to C:\program files\java\jdk..\ bin and type this command to convert p12 file to jks file:

keytool -importkeystore -deststorepass mypass -destkeystore C:\Keystore\server.jks -srckeystore C:\Keystore\server.p12 -srcstoretype PKCS12

Resart your tomcat server

Answer 4

Just had this issue, only with .p7b. This error means your keystore doesn't contain the original private key.

Please make sure your private key (.csr) is in the same keystore with the .p7b chain.

I followed these steps:

1. Generated a key with a keystore:

keytool -genkey -alias [alias_name] -keyalg RSA -keystore [enter_keystore_name] -keysize 2048

This command creates not only a key entry, but also a private key in the keystore. That's why it's important to import the .p7b into the same keystore.

2. Generated a CSR from this entry:

keytool -certreq -keyalg RSA -keysize 2048 -alias [alias_name] -file [csr_file_name] -keystore [keystore_name] -ext san=dns:[FQDN_of_server]

3. Imported the received signed .p7b into the same keystore (I recommend you to download the .p7b into the same folder your .csr and keystore are in):

keytool -import -alias [alias_name] -trustcacerts -file [ssl_certificate.p7b] -keystore [keystore_name]

If everything's done right, your keystore will contain the generated private key and the received .p7b.