Tomcat unable to access cert in Windows Cert store

Question

I am configuring Tomcat to use the Windows Certificate store to allow tracking of certificate expiry through Microsoft System Center Operations Manager. I have configured a Tomcat 8.5 Connector to use the Windows certificate store as shown below:

<Connector  port="443" 
        scheme="https"
        secure="true"
        SSLEnabled="true"
        >
            <SSLHostConfig  hostName="*.mms.ams.local"
                            sslProtocol="TLS"
                            protocols="TLSv1,+TLSv1.1,+TLSv1.2"
                            truststoreProvider="SunMSCAPI"
                            truststoreType="Windows-ROOT"
                            >
                <Certificate    certificateKeyStoreProvider="SunMSCAPI"
                                certificateKeyAlias="*.mms.ams.local"
                                certificateKeystoreFile="NONE"
                                certificateKeystorePassword=""
                                certificateKeystoreType="Windows-My"
                                type="RSA"
                />
            </SSLHostConfig>

The Common Name/Friendly name of the cert is the same, has an associated private key, and has a proper, verified certificate chain. However, when Tomcat starts up, the following error is thrown in the logs:

11-Feb-2022 10:12:48.226 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:1076)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:843)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: Alias name [*.mms.ams.local] does not identify a key entry
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1189)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:617)
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:1074)
    ... 13 more
Caused by: java.io.IOException: Alias name [*.mms.ams.local] does not identify a key entry
    at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:335)
    at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
    at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:244)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
    ... 20 more

After three days of searching, I am unable to find any references online as to what may be causing this issue with a Microsoft Certificate store. Nearly all references I have found refer to file-based keystores, which doesn't apply. Tomcat's documentation, while saying that use of the Microsoft Keystore is supported, is very sparse in talking about proper configuration of the connector. The examples in the "server.xml" file are vague as well. Getting to this point with the connector, I have had to piecemeal settings together from several articles. Anyone out there with experience with doing this have any suggestions or pointers? Thanks in advance for your consideration with this.

Answer 1

After much research, I have found the issue and I will post it here so I can spare other Windows server admins days of going do the same rabbit hole. :-)

In order to access the Windows cert store, you need to use the Store Provider "SunMSCAPI". This is a CAPI provided by SUN/Java. However there is a known (but barely documented) issue with the CAPI. While the TrustStoreType "Windows-ROOT" is capable of accessing the Root/Intermediate cert stores across the different stores, the KeyStoreType "Windows-MY" only accesses the CurrentUser\My store. This means that, in order to access a cert using this CAPI, you would need to sign in as the user under which Tomcat/Java app runs and add the certificate to the CurrentUser\My store, which can be tedious if running multiple services under multiple accounts (don't get me started on if you have to run it as Local Service). The LocalMachine\My store is a place where certs can be readily accessed, regardless of what account is accessing it.

From what I have found, this issue has been around since 2011 yet Sun has made no apparent attempts to address/correct it. I have found some independently developed workarounds for this but nothing released by a software company with supported/regular updates.

We will move to a hybrid solution where the ROOT/INTERMEDIATE certs will accessed via the SunMSCAPI and the pub/priv certs be stored in a fileshare in a PKCS12 format where they will be monitored for expiration via scripts and tools. Thanks to everyone who reviewed and contributed.