CAST AIP - SSL - Errors - Alias name does not identify a key entry

When you are setting up SSL and this message appears in the log (where xxx is the alias you have setup):

Alias name [xxxx] does not identify a key entry


Example of log:


Caused by: java.lang.IllegalArgumentException: Alias name [cast] does not identify a key entry

at ~[tomcat-embed-core-9.0.63.jar!/:na]

at ~[tomcat-embed-core-9.0.63.jar!/:na]

at ~[tomcat-embed-core-9.0.63.jar!/:na]

at ~[tomcat-embed-core-9.0.63.jar!/:na]

at ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.coyote.AbstractProtocol.start( ~[tomcat-embed-core-9.0.63.jar!/:na]

at org.apache.catalina.connector.Connector.startInternal( ~[tomcat-embed-core-9.0.63.jar!/:na]



Observed in CAST AIP

8.3.x  (tick)



Observed in RDBMS

CSS  (tick)



Step by Step scenario

Encountered error in logs


Action Plan


The issue normally occurs because the key stored in the Java keystore is a certificate only entry and the configuration requires the entry to be a certificate/key pair in the Java keystore.

This can happen if you were provided a key and certificate separately (*.pem and *.crt file normally).

The best solution is to go back to the person who provided this and get a *.pk7 format file and passphrase which would have both the key and certificate in the file, and then import this into the keystore.

Otherwise you need to somehow gain access to the openssl tool and do something like the following (see Secure Socket Layer (SSL) Tools for information on keytool and openssl):


  • Convert the key and certificate to a *.p12 type using the openssl tool:
    • openssl pkcs12 -export -name cast -in in/file.cer -inkey in/key.pem -out out/keystore.p12
  • Then run this keytool command (the source keystore password is the password you give above, the destination is the one for cacerts):
    • keytool -importkeystore -destkeystore "C:\Program Files\Java\jdk-11.0.16\lib\security\cacerts" -srckeystore "C:\temp\keystore.p12" -srcstoretype pkcs12 -alias cast
    • You may get a warning about migrating from a jks keystore to a pkcs12 keystore.
  • Then when you list entries in the keystore, you should see one which has both the key and certificate:


If the above steps do not solve your issue contact CAST Technical Support. with the following Relevant input


Relevant input

  • CAST Log file
  • A detailed list of the steps done
  • Screenshots from part of AIP showing the issue 


Ticket # 38360





Have more questions? Submit a request


Powered by Zendesk