Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

SSL certificate is imported as a trustedCertEntry, tomcat is unable to start

Scott Poirier
Scott Poirier July 8, 2020

Summary: I am trying to update the SSL certificate for our BitBucket server. I am seeing assistance installing the new ps7 certificate as a PrivateKey type on my keystore.

As per the instructions on confluence I created a local self-signed certificate on a  new keystore titled "bitbucket-keystore", using the following command: 

"%JAVA_HOME%\bin\keytool" -genkey -alias sc.phgic.com -keyalg RSA -sigalg SHA256withRSA -keystore <Bitbucket home>\shared\config\bitbucket-keystore

Next, I used the keytool to generate a CSR and submitted the CSR to our certificate authority (CA) for signing. 

After receiving the download link from the CA, I downloaded the SSL certificate in PKCS7 format, and ran the following command to install it on my keystore:

"%JAVA_HOME%\bin\keytool" -import -alias sc.phgic.com -file sc_phgic_com.p7s -keystore <Bitbucket home>\shared\config\bitbucket-keystore

The import appeared to be successful. I restarted the BitBucket service, but it failed to start. I discovered the following exception in the logs: java.io.IOException: Alias name [sc.phgic.com] does not identify a key entry

I searched the Knowledge Base and found this related issue:
https://confluence.atlassian.com/bitbucketserverkb/unable-to-start-tomcat-due-to-java-io-ioexception-alias-name-not-identifying-a-key-entry-943541751.html

Re: Cause #1, I confirmed the alias in the keystore matches the alias in our configuration file, and the keystore does contain this alias:

config.png

2020-07-08 12_26_29-tfserver - Remote Desktop Connection.png

So, I suspect the root problem is Cause #2 - entry type is trustedCertEntry instead of PrivateKey.

(I also tried installing the intermediate and server certificate as separate .cer files, and received the following error: Input not an X.509 certificate)

I would prefer to work with a single .p7s file; but, how can this be installed as a PrivateKey entry type rather than trustedCertEntry?

Is there possibly some other issue with the private key in my keystore preventing this certificate from being installed as the correct entry type?

Answer
Watch
Like Be the first to like this
7235 views

1 answer

1 accepted

0 votes
Answer accepted
Scott Poirier
Scott Poirier July 9, 2020

We ended up having our CA reissue our certificate using a CSR generated from IIS, and then exporting the new certificate as a pfx file with the private key from Windows Cert Manager, and finally, using the importkeystore keytool command to import the certificate into the existing keystore. We updated the config file, restarted BitBucket, and the site is now secure with the new certificate.

I don't know what was wrong with the original keystore that was used. But this alternative method of creating and managing the certificate is viable and easier.

View More Comments
Scott Barr
Scott Barr September 30, 2021

How did you import the .pfx file?  Just import into the Windows Cert manager and re-export without the private key?    I like this idea, just not quite able to make this path work for me.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events