Enforce Server console shows warnings even after importing new SSL certificate using steps from Article ID: 160518.

We see no certificate loaded when we navigate to the Enforce Server on a browser, and localhost logs shows below errors:

java.lang.IllegalArgumentException: Alias name [null] does not identify a key entry

Release : 15.7 and above.

Component : Enforce Server administrator console.

While importing certificate as mentioned on step no. 6 from Article ID: 160518, if we move/delete or use incorrect path after -keystore in below command and if there is no .keystore file present at this location a new keystore file is created after running below command.

keytool -import -alias tomcat -keystore <DRIVE>:\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\.keystore -trustcacerts -file :\Program Files\AdoptOpenJRE\jdk8u<version>-jre\bin\tomcat.cer

Above command does not fail with .keystore not found error, command runs successfully creating a new .keystore file. In this scenario running above command will ask to generate a new password for the keystore.

As this .keystore file is newly created it wont have the private key created with which the CSR was generated and certificate does not load on browser when we try to access enforce server console.

We can view .keystore contents using command.

keytool -v -list -keystore .keystore

It will show all the certificates and private keys with their alias names. 

Using above command check if keystore includes private key created while generating CSR on step No.3 in Article ID: 160518. Private key creation date can be used to identify correct private key.

Make sure .keystore contains this private key and import certificate to this same .keystore. If the original .keystore file is lost a new CSR needs to be generated by following the process on KB 160518.

This behavior of keytool is by design as per below Oracle link.

Link to keytool (oracle.com).

-keystore keystore

The keystore location.

If the JKS storetype is used and a keystore file does not yet exist, then certain keytool commands can result in a new keystore file being created. For example, if keytool -genkeypair is called and the -keystore option is not specified, the default keystore file named .keystore in the user's home directory is created when it does not already exist.