Error "Alias name[certificate_alias_name] does not identify a key entry" during HTTPS setup

Error "Alias name[certificate_alias_name] does not identify a key entry" during HTTPS setup

book

Article ID: KB0078785

calendar_today

Updated On:

Products Versions
Spotfire Server 7.5 and higher

Description

When configuring the TIBCO Spotfire Server to use HTTPS, the HTTPS connection may fail and the catalina.log file will show the following error if the certificate has missing 'Certificate chain length', has 'Entry type' as 'trustedCertEntry', or has an incorrect certificate key alias name: 
Caused by: java.lang.IllegalArgumentException: Alias name[certificate_alias_name] does not identify a key entry.

Caused by: java.io.IOException: Alias name[certificate_alias_name] does not identify a key entry.

This article describes the resolution for missing 'Certificate chain length' and 'trustedCertEntry' Entry type. Note: Please check KB article 000036920 for the resolution to the incorrect certificate key alias name issue.

Use the following command to list all details of certificate stored in the specified keystore:

<install directory>\jdk\bin\keytool -list -v -keystore <install directory>\tomcat\certs\<certificateName>.jks -alias <KeyaliasName>
Where <install directory> is updated with the appropriate path in your installation.

The result should have 'Certificate chain length' and 'Entry type'  should be 'PrivateKeyEntry'

The following is an example where the certificate has no 'Certificate chain length' and 'Entry type' is 'trustedCertEntry'

C:\tibco\tss\7.11.1\jdk\bin>keytool -list -v -keystore "C:\tibco\tss\7.11.1\tomcat\certs\spotfireserver.jks" -alias serverkey
Enter keystore password:
Alias name: serverkey
Creation date: Mar 19, 2019
Entry type: trustedCertEntry
The following is an example where certificate has 'Certificate chain length' and 'Entry type' is 'PrivateKeyEntry' 
C:\tibco\tss\7.11.1\jdk\bin>keytool -list -v -keystore "C:\tibco\tss\7.11.1\tomcat\certs\spotfireserver.jks" -alias serverkey
Enter keystore password:
Alias name: serverkey
Creation date: Dec 7, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3

 

Issue/Introduction

Error "Alias name[certificate_alias_name] does not identify a key entry" during HTTPS setup

Resolution

After running above command, if the result has no 'Certificate chain length' it means that the required intermediate certificates are not imported and if 'Entry type' is 'trustedCertEntry' it means that the Private key is not added to the certificate.

To resolve, ensure that the certificates are imported as privatekey, and not just trustedcertificate, and ensure that all intermediate certificates are imported.

Additional Information

Doc: Configuring HTTPS

KB: 000036920 Error "Alias name does not identify a key entry"

Powered by Wolken Software