Bug 59910

Summary: certificateKeyAlias required to be set
Product: Tomcat 8 Reporter: Mike Noordermeer <mike>
Component: ConnectorsAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.5.x-trunk   
Target Milestone: ----   
Hardware: All   
OS: All   

Description Mike Noordermeer 2016-07-29 09:08:31 UTC 
The documentation states that certificateKeyAlias is optional, and that "If not specified, the first key read from the keystore will be used". It seems that since r1713277, the default of this variable is set to "tomcat", which leads to the following exception if the name of the certificate is different:

> java.lang.IllegalArgumentException: java.io.IOException: Alias name tomcat does not identify a key entry
>     at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
>     at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
Comment 1 Mike Noordermeer 2016-07-29 09:13:38 UTC 
Btw, this is with JSSE and a PFX certificate containing only one entry.
Comment 2 Remy Maucherat 2016-08-02 12:50:35 UTC 
This was changed since it's a lot harder to do properly with OpenSSL and so it needs an alias name. For consistency, it could be best to keep the new default for both JSSE and OpenSSL, and fix the documentation.
Comment 3 Mike Noordermeer 2016-08-02 13:15:28 UTC 
I wouldn't be too happy with that, as most people are not even aware of the fact that a PFX can contain multiple certificates and keys. And in that case it would probably be better to require the user to set a certificateKeyAlias, instead of relying on the default 'tomcat'.
Comment 4 Remy Maucherat 2016-08-02 13:20:38 UTC 
Thanks for the feedback, but I disagree with that. All of our current examples and howtos use "tomcat" as key alias, and "changeit" as password (it is the hardcoded default, just like "tomcat" is hardcoded again - I think it used to be this way sometime in the past).
Comment 5 Mike Noordermeer 2016-08-02 20:10:50 UTC 
That may be the case, but a PFX file almost always has a password, so people set the password. Nobody knows what the key alias is though (and nobody specifies the name when creating the PFX). This is just going from my experience with the sysadmins we work with, and maybe these sysadmins are to blame, but I think this new 'feature' (or more precisely, the removal of the automatic key alias detection feature) worsens the user experience.

If it's really difficult with OpenSSL, I can understand the change, but it's still a shame.
Comment 6 Remy Maucherat 2016-08-02 23:18:33 UTC 
Ok, I experimented and the inconsistency seems acceptable and there's no hardcoding when not needed. It will be included in 9.0.0.M10 and 8.5.5.