Bug 59910 - certificateKeyAlias required to be set
Summary: certificateKeyAlias required to be set
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2016-07-29 09:08 UTC by Mike Noordermeer
Modified: 2016-08-02 23:18 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Mike Noordermeer 2016-07-29 09:08:31 UTC
The documentation states that certificateKeyAlias is optional, and that "If not specified, the first key read from the keystore will be used". It seems that since r1713277, the default of this variable is set to "tomcat", which leads to the following exception if the name of the certificate is different:

> java.lang.IllegalArgumentException: java.io.IOException: Alias name tomcat does not identify a key entry
>     at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
>     at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
Comment 1 Mike Noordermeer 2016-07-29 09:13:38 UTC
Btw, this is with JSSE and a PFX certificate containing only one entry.
Comment 2 Remy Maucherat 2016-08-02 12:50:35 UTC
This was changed since it's a lot harder to do properly with OpenSSL and so it needs an alias name. For consistency, it could be best to keep the new default for both JSSE and OpenSSL, and fix the documentation.
Comment 3 Mike Noordermeer 2016-08-02 13:15:28 UTC
I wouldn't be too happy with that, as most people are not even aware of the fact that a PFX can contain multiple certificates and keys. And in that case it would probably be better to require the user to set a certificateKeyAlias, instead of relying on the default 'tomcat'.
Comment 4 Remy Maucherat 2016-08-02 13:20:38 UTC
Thanks for the feedback, but I disagree with that. All of our current examples and howtos use "tomcat" as key alias, and "changeit" as password (it is the hardcoded default, just like "tomcat" is hardcoded again - I think it used to be this way sometime in the past).
Comment 5 Mike Noordermeer 2016-08-02 20:10:50 UTC
That may be the case, but a PFX file almost always has a password, so people set the password. Nobody knows what the key alias is though (and nobody specifies the name when creating the PFX). This is just going from my experience with the sysadmins we work with, and maybe these sysadmins are to blame, but I think this new 'feature' (or more precisely, the removal of the automatic key alias detection feature) worsens the user experience.

If it's really difficult with OpenSSL, I can understand the change, but it's still a shame.
Comment 6 Remy Maucherat 2016-08-02 23:18:33 UTC
Ok, I experimented and the inconsistency seems acceptable and there's no hardcoding when not needed. It will be included in 9.0.0.M10 and 8.5.5.