Posted by & filed under Server Admin.

I have a PKCS12 .pfx export of a cert that I need to import into a Tomcat keystore in order to update an expiring certificate.

 

Need to know a few things beforehand:

  • Tomcat keyfile path
  • Source store password for the pfx file
  • Source alias for the pfx
  • Dest source passwd
  • Dest source alias

In order to get the source alias from the new pfx file:

If you need to get the alias from the existing Tomcat keystore:

Additionally, the above command can be used to verify the certificate, expiry date, etc.

Lastly, if you restart Tomcat and it throws errors like the following in the catalina log, you may need to reset the keystore password:

Reset to the correct password as defined in the servver.xml keyStorePass parameter using the following command. You may need to adjust alias to your needs. You will be prompted for the new password, which should match the previously mentioned keyStorePass parameter.

You can also reset the password for the keystore itself (www.ibm.com/support/knowledgecenter/en/S…):

 

 

EDIT FROM THE FUTURE:

Additional note — when trying to run the import command I was getting the following error:

I ran the following to verify the alias is correct:

Key ID of 2 is displayed correctly here as well as a more verbose output also showed the same:

I then took the same .pfx file and checked it on a linux machine based on a hint from this stackoverflow on binary chars: http://stackoverflow.com/questions/15301005/keytool-cant-find-alias

And lo’ and behold it shows the alias is actually 1!

 

..Back in Windows land:

It accepted alias 1 instead and the cert imported correctly. I love Tomcat -_-

 

 

 

 

Leave a Reply

You must be logged in to post a comment.