Tomcat - Resolve "Alias name does not identify a key entry"

by
Jeremy Canfield |
Updated: February 10 2023
| Tomcat articles
Let's say you are getting something like this in your Tomcat application server logs, such as catalina.log or catalina.out.
09-Feb-2023 02:54:09.779 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
Caused by: java.lang.IllegalArgumentException: Alias name [example.com] does
Caused by: java.io.IOException: Alias name [example.com] does not identify a key entry
Your Tomcat server.xml file may have the keyAlias and the keystoreFile that contains the key.
<Connector
port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="keystore.p12"
keystorePass="itsasecret"
keyAlias="www.example.com"
/>
The Java keytool command can be used to list the contents of the keystore.
~]$ keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 2 entries
DigiCert, Aug 21, 2023, trustedCertEntry,
Certificate fingerprint (SHA1): 1E:0C:EB:DC:CA:E3:DC:16:76:77:EE:BE:91:9B:43:3D:9D:10:15:8E
GoDaddy, Oct 14, 2023, trustedCertEntry,
Certificate fingerprint (SHA1): 8A:7B:10:43:A1:BE:78:D0:CF:12:9F:02:8C:99:F2:3D:1A:69:81:1D
example.com, May 12, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA1): D0:80:B9:77:80:F9:DA:FF:77:54:4F:36:B1:A8:03:6F:25:EE:1C:72
The Java keytool command with the -alias and -v (verbose) flag can be used to display the details of a trustedCertEntry or PrivateKeyEntry in the keystore. The Alias name of the trustedCertEntry or PrivateKeyEntry should be an exact match of the keyAlias in your Tomcat server.xml file.
~]# keytool -keystore /path/to/keystore.p12 -storetype pkcs12 -list -v -alias example.com
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: example.com
Creation date: Feb 10, 2023
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=www.example.com, OU=Information Technology, O=Acme, L=Appleton, ST=WI, C=US
Issuer: CN=IntermediateCA, DC=example, DC=com
Serial number: 3a000001d8af30a16a44402b790001000001d8
Valid from: Wed Jun 29 14:30:15 UTC 2022 until: Thu Jun 29 14:30:15 UTC 2023
Certificate fingerprints:
SHA1: D0:80:B9:77:80:F9:DA:FF:77:54:4F:36:B1:A8:03:6F:25:EE:1C:72
SHA256: 14:8C:CD:59:A9:C4:48:45:33:28:C3:AE:E7:6C:B6:1E:0A:F5:3B:9C:64:E5:BB:02:69:30:81:D9:6D:5F:06:AD
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Did you find this article helpful?
If so, consider buying me a coffee over at