I have a PKCS12 .pfx export of a cert that I need to import into a Tomcat keystore in order to update an expiring certificate.
Need to know a few things beforehand:
- Tomcat keyfile path
- Source store password for the pfx file
- Source alias for the pfx
- Dest source passwd
- Dest source alias
keytool -importkeystore -srckeystore wildcard_2016.pfx -srcstoretype pkcs12 -srcstorepass changeit -srcalias 4b84576db-35ca-8dc45b92a -destkeystore C:\ibi\ssl\.keystore -deststoretype jks -deststorepass changeit! -destalias tomcat
In order to get the source alias from the new pfx file:
keytool -v -list -storetype pkcs12 -keystore wildcard_2016.pfx > output.txt
If you need to get the alias from the existing Tomcat keystore:
keytool -list -v -keystore C:\ssl\.keystore > tomcatkeystore.txt
Additionally, the above command can be used to verify the certificate, expiry date, etc.
Lastly, if you restart Tomcat and it throws errors like the following in the catalina log, you may need to reset the keystore password:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-443"] java.security.UnrecoverableKeyException: Cannot recover key ...more stack trace here...
Reset to the correct password as defined in the servver.xml keyStorePass parameter using the following command. You may need to adjust alias to your needs. You will be prompted for the new password, which should match the previously mentioned keyStorePass parameter.
keytool -keypasswd -new changeit -keystore C:\ssl\.keystore -storepass changeit -alias tomcat
You can also reset the password for the keystore itself (www.ibm.com/support/knowledgecenter/en/S…):
PS C:\> .\keytool.exe -keypasswd -new REDACTED -keystore C:\.keystore -alias tomcat
EDIT FROM THE FUTURE:
Additional note — when trying to run the import command I was getting the following error:
Existing entry alias 2 exists, overwrite? [no]: yes keytool error: java.lang.Exception: Alias <2> does not exist
I ran the following to verify the alias is correct:
PS C:\> .\keytool.exe -list -keystore C:\server2017.pfx -storetype pkcs12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry 2, Mar 13, 2017, PrivateKeyEntry, Certificate fingerprint (MD5): RE:DA:CT:ED:DE:AD:BE:EF
Key ID of 2 is displayed correctly here as well as a more verbose output also showed the same:
.\keytool.exe -list -v -keystore C:\server_2017.pfx
I then took the same .pfx file and checked it on a linux machine based on a hint from this stackoverflow on binary chars: http://stackoverflow.com/questions/15301005/keytool-cant-find-alias
nate@beef:~/$ keytool -list -keystore server2017.pfx -storetype pkcs12 Enter keystore password: Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry 1, Mar 13, 2017, PrivateKeyEntry, Certificate fingerprint (SHA1): RE:DA:CT:ED:DE:AD:BE:EF
And lo’ and behold it shows the alias is actually 1!
..Back in Windows land:
PS C:\> ./keytool -importkeystore -srckeystore C:\server2017.pfx -srcstoretype pkcs12 -srcstor epass REDACTED -srcalias 1 -destkeystore C:\.keystore -deststoretype jks -deststorepass REDACTED -destalias tomcat Existing entry alias 1 exists, overwrite? [no]: yes
It accepted alias 1 instead and the cert imported correctly. I love Tomcat -_-