Tomcat 7 SSL – Swapping a Cert out in the keystore

Posted by & filed under Server Admin.

I have a PKCS12 .pfx export of a cert that I need to import into a Tomcat keystore in order to update an expiring certificate.


Need to know a few things beforehand:

  • Tomcat keyfile path
  • Source store password for the pfx file
  • Source alias for the pfx
  • Dest source passwd
  • Dest source alias
keytool -importkeystore -srckeystore wildcard_2016.pfx -srcstoretype pkcs12 -srcstorepass changeit -srcalias 4b84576db-35ca-8dc45b92a -destkeystore C:\ibi\ssl\.keystore -deststoretype jks -deststorepass changeit! -destalias tomcat

In order to get the source alias from the new pfx file:

keytool -v -list -storetype pkcs12 -keystore wildcard_2016.pfx > output.txt

If you need to get the alias from the existing Tomcat keystore:

keytool -list -v -keystore C:\ssl\.keystore > tomcatkeystore.txt

Additionally, the above command can be used to verify the certificate, expiry date, etc.

Lastly, if you restart Tomcat and it throws errors like the following in the catalina log, you may need to reset the keystore password:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-443"] Cannot recover key
...more stack trace here...

Reset to the correct password as defined in the servver.xml keyStorePass parameter using the following command. You may need to adjust alias to your needs. You will be prompted for the new password, which should match the previously mentioned keyStorePass parameter.

keytool -keypasswd -new changeit -keystore C:\ssl\.keystore -storepass changeit -alias tomcat

You can also reset the password for the keystore itself (…):

PS C:\> .\keytool.exe -keypasswd -new REDACTED -keystore C:\.keystore -alias tomcat




Additional note — when trying to run the import command I was getting the following error:

Existing entry alias 2 exists, overwrite? [no]:  yes
keytool error: java.lang.Exception: Alias <2> does not exist

I ran the following to verify the alias is correct:

PS C:\> .\keytool.exe -list -keystore C:\server2017.pfx -storetype pkcs12        
Enter keystore password: 

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

2, Mar 13, 2017, PrivateKeyEntry,
Certificate fingerprint (MD5): RE:DA:CT:ED:DE:AD:BE:EF

Key ID of 2 is displayed correctly here as well as a more verbose output also showed the same:

.\keytool.exe -list -v -keystore C:\server_2017.pfx

I then took the same .pfx file and checked it on a linux machine based on a hint from this stackoverflow on binary chars:

nate@beef:~/$ keytool -list -keystore server2017.pfx -storetype pkcs12
Enter keystore password:

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

1, Mar 13, 2017, PrivateKeyEntry,
Certificate fingerprint (SHA1): RE:DA:CT:ED:DE:AD:BE:EF

And lo’ and behold it shows the alias is actually 1!


..Back in Windows land:

PS C:\> ./keytool -importkeystore -srckeystore C:\server2017.pfx -srcstoretype pkcs12 -srcstor
epass REDACTED -srcalias 1 -destkeystore C:\.keystore -deststoretype jks -deststorepass REDACTED -destalias tomcat
Existing entry alias 1 exists, overwrite? [no]:  yes

It accepted alias 1 instead and the cert imported correctly. I love Tomcat -_-





Linux – Unable to boot due to missing drive in fstab

Posted by & filed under Linux, Server Admin.

I had a old server I brought up and it was unable to complete it’s boot due to a missing drive in fstab. Editing the fstab in recovery mode is not a option since the filesystem gets flagged as read only.

In order to make the FS writable and therefore be able to successfully edt the fstab, the following command will remount the FS in read/write mode:

mount -o remount,rw /