Unable to use .pfx ssl cert using cacerts keystore in Spectrum
search cancel

Unable to use .pfx ssl cert using cacerts keystore in Spectrum

book

Article ID: 415879

calendar_today

Updated On:

Products

Network Observability Spectrum

Issue/Introduction

I tried to convert .pfx to .pem using openssl pkcs12 -in cert.pfx -out pkcs.pem but in this case I had an error while adding to keystore: keytool error: java.lang.Exception: Input not an X.509 certificate

Environment

any supported Spectrum release

Cause

  • A PFX/PKCS#12 file always has a container password.
    • This is required when you create or export the .pfx.
    • It protects the bundle (private key + cert + chain).
    • You must supply this password when importing into a Java keystore.
  • Inside the keystore, each entry (certificate + keypair) has an alias.
    • The alias is just a label (e.g., tomcatssl).
    • By default, when you import a PFX into a JKS, the key password for that alias is set to the same as the keystore password (unless you explicitly change it).
    • Tomcat (and Spectrum OneClick) expects the keystore password and key password to match. If they don’t, you’ll need to specify both in server.xml.

 

Here’s how you can check what alias (or aliases) exist inside your PFX file before you import it into Spectrum OneClick’s Tomcat keystore. This way you’ll know exactly what to reference in server.xml.

$SPECROOT/Java/bin/keytool -v -list -storetype PKCS12 -keystore D:/path/to/cert.pfx -storepass <yourPFXpassword>

The “Alias name” from the output is what you’ll use in server.xml as keyAlias.

Resolution

Option 1: Use the PFX Directly

Edit D:/Spectrum/tomcat/conf/server.xml and configure the HTTPS connector (THIS IS JUST AN EXAMPLE TO SHOW THE DIFFERNECES):

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true"
           scheme="https" secure="true"
           keystoreFile="D:/Spectrum/custom/keystore/cert.pfx"
           keystoreType="PKCS12"
           keystorePass="yourPFXpassword"
           keyAlias="tomcatssl"
           clientAuth="false" sslProtocol="TLS" />

 

Option 2: Convert PFX → JKS

$SPECROOT/Java/bin/keytool -importkeystore -srckeystore D:/path/to/cert.pfx -srcstoretype PKCS12 -srcstorepass <pfxpassword> -destkeystore D:/path/to/Spectrum/custom/keystore/oneclick.jks -deststoretype JKS -deststorepass <newpassword> -alias tomcatssl

Update server.xml (THIS IS JUST AN EXAMPLE TO SHOW THE DIFFERNECES):

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true"
           scheme="https" secure="true"
           keystoreFile="D:/Spectrum/custom/keystore/oneclick.jks"
           keystoreType="JKS"
           keystorePass="newpassword"
           keyAlias="tomcatssl"
           clientAuth="false" sslProtocol="TLS" />
Powered by Wolken Software