CODEWITHSUNDEEP
javaspring-bootsslkeytool
angus
angus

Reputation: 3320

How to resolve : jno_key_entry

I have a the following files that where generated by Sectigo:

  1. XXX1.pem
  2. XXX1.key
  3. XXX1.csr
  4. XXX1.crt
  5. XXX1.ca

I am using Zulu JDK 11.0.8 and SpringBoot 2.2.0 on windows. What I am trying to do is to enable https in SpringBoot app.

This are the ssl properties in SpringBoot properties file:

server.ssl.key-store-type=JKS
server.ssl.key-store=XX1.jks
server.ssl.key-store-password=password
server.ssl.key-alias=tomcat

I generated a keystore using the following command:

keytool -import -alias tomcat -file XXX1.crt -keystore XX1.jks -storepass password

When running the app I am getting the following error message:

Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 17 common frames omitted
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:218) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1124) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1210) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 19 common frames omitted
Caused by: java.io.IOException: jsse.alias_no_key_entry
    at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:328) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.27.jar:9.0.27]
    ... 25 common frames omitted

Any idea what I did wrong ?

Thank you

Upvotes: 1

Views: 796

Answers (1)

dave_thompson_085
dave_thompson_085

Reputation: 38821

TLDR: you need the privatekey

Although we often talk loosely about an SSL/TLS server having or using 'a certificate', in fact it needs not just a certificate but the associated private key (always) and any associated intermediate aka 'chain' CA cert(s) (usually, but can depend on the CA and/or clients). keytool -import is an alias for -importcert which imports only a certificate or chain; this either adds a cert/chain to a preexisting privateKeyEntry, or creates a trustedCertEntry. In your case your keystore did not already contain the privatekey, so keytool created a trustedCertEntry, which is why Tomcat complains that the configured alias is 'no_key_entry' -- i.e. it is a trustedCertEntry, which is inadequate, unusable, and wrong, not a privateKeyEntry as is needed and required.

Search for 'convert PEM to Java keystore' or 'convert PEM to JKS' (and possibly 'convert PEM to PKCS12' also) and you will find hundreds of Questions asked over the past decade, with about as many variations of the two real Answers:

  1. If you have or get OpenSSL, use openssl pkcs12 -export to combine the certificate, privatekey, and chain (CA) PEM-format files into a PKCS12-format file. Modern Java (since 2017) can always use PKCS12 directly as a keystore; older versions sometimes could do this but sometimes required you to convert the PKCS12 to JKS with keytool -importkeystore (not -import[cert]) and older Answers reflect that former requirement. If necessary you could move or copy the PEM-format files to another machine that is sufficently secure and has OpenSSL and then move or copy the PKCS12 back.

    OpenSSL comes standard on nearly all Linuxes and many other Unixes, but not Windows. You can get it for Windows from several sources of which I consider http://slproweb.com/products/Win32OpenSSL.html the best-maintained.

  2. Download and use KeyStore Explorer.

Upvotes: 2

Related Questions