Reputation: 2634
KeyStore and TrustStore load failed - Private key must be accompanied by certificate chain
I have created a self signed certificate using the following command:
keytool -genkeypair -keyalg RSA -alias test-api -keystore test-api.p12 -storepass password -validity 3650 -keysize 2048 -storetype pkcs12
I then imported this keystore into new truststore:
keytool -import -trustcacerts -alias test-api-2018 -file test.crt -keystore trusted-keystore.p12 -storetype pkcs12
In Java, creating a custom SSL store provider (org.springframework.boot.context.embedded.SslStoreProvider). As a part of it, loaded keystore and truststore using the following Java code:
try {
try (final InputStream keyStoreStream = new ByteArrayInputStream(Base64.decode(keyStoreEncoded))) {
keyStore = KeyStore.getInstance(KEYSTORE_TYPE_PKCS12);
LOGGER.info("Loading a KeyStore object based on the decoded value.");
keyStore.load(keyStoreStream, serverSslKeyPassword.toCharArray());
}
....
trustStore.load(trustStoreStream, serverSslTrustStorePassword.toCharArray());
}
Created custom implementation of EmbeddedServletContainerCustomizer and set SSL Provider:
public void customize(final ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
configurableEmbeddedServletContainer.setSslStoreProvider(awsSslStoreProvider);
}
Application fails to start because of the following error:
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:253)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
... 19 common frames omitted
Upvotes: 7
Views: 14188
Answers (2)
Reputation: 1679
The problem occurs when the security config in the application.properties file isn't configured properly. This causes the certificate chain to break.
In my case I used
server.ssl.key-password=123456789
instead of
server.ssl.key-store-password=123456789
Upvotes: 52
Reputation: 6288
This also happens when using BouncyCastle as PKCS12 key store provider and the key alias is using incorrect upper case.
E.g. (incorrect):
server.ssl.key-alias=17B2E92E5694C7AE11A65C4A4EBFC75558399E05
instead (correct):
server.ssl.key-alias=17b2e92e5694c7ae11a65c4a4ebfc75558399e05
The strange thing about this error is that the key is found, so obviously is not case sensitive, but the check for ks.getCertificateChain(keyAlias) is.
Upvotes: 2
Related Questions
- added certificate to java keystore, still error
- "java.io.IOException: keystore password was incorrect" on KeyStore load
- Error loading KeyStore(PKCS12)
- Unable to load certificate chain to java keystore
- Import Certificates into keystore, certificate chain is null
- KeyStore and TrustStore mismatch
- Can't load a JKS keystore containing
- Certificate chain not found, but keystore contains private key
- KeyStoreException: No private keys found in keystore with not-yet-commons-ssl-0.3.11.jar
- Cannot find symbol: KeyStore.TrustedCertificateEntry