Tomcat 9 invalid keystore password

Question

Trying to setup SSL in Tomcat 9 using JDK10 in Windows 10. When I follow an online tutorial to create a Java keystore using the default password of 'changeit' everything works fine and Tomcat starts with no errors. But if I create a keystore using a different keystore password other than 'changeit', tomcat throws this error:

Caused by: java.lang.IllegalArgumentException: keystore password was incorrect

This is the command to create a keystore:

keytool -genkey -alias tomcat -keyalg RSA -keystore c:\certificates\tomcatkeystore

This is the SSL connector that works.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="C:/certificates/tomcatkeystore"
                     type="RSA" clientAuth="false" sslProtocol="TLS" keystorePass="changeit" />
    </SSLHostConfig>
</Connector>

SSL connector that does not work.

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="150" SSLEnabled="true">
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="C:/certificates/tomcatkeystore"
                     type="RSA" clientAuth="false" sslProtocol="TLS" keystorePass="testing" />
    </SSLHostConfig>
</Connector>

Why if I follow the exactly the same steps as above but changing to a different keystore password and specifying this in the server.xml generate the above Tomcat error?

NOTE: one thing I noticed in both cases is that the keytool command never prompts me for the 'key password' like many online examples show. Is there a different keytool command I need when using other than the default 'changeit' password?

Thanks.

Answer 1

OK I was able to solve this. My problem was that I was using the wrong connector attribute to specify the keystore password. On my example I was using "keystorepass" and correct one should be "certificateKeystorePassword". Maybe I missed it in the logs, but Tomcat didn't seem to be throwing an appropriate error like 'bad attribute for connector', which would have been useful.

Seems like Tomcat has different connectors, so have to use the correct ones:

https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support