Keystore problem during switch to HTTPS

I’m trying to activate HTTPS during the upgrade to youtrack 2019.2. 58110. In the Alias field I put the Friendly Name that I used during the certificate signing fase, but no matter what I fill in it keeps saying “The specified alias either does not exist in the keystore file or does not identify server certificate”. I also tried to fill-in other certificate attributes but nothing works. The Friendly Name is “ythb 18-04-2019”. Is the space creating the problem? I changed the Friendly Name als once to ythb and recreated the keystore file, but that gave the same result. My keystore is an certificate export to a pfx file with the public and private key in it, and protected with a password. What am I doing wrong?
Official comment


Thank you for reaching out. Please create a support request here and share the conf folder, full logs and your certificate. I'm looking forward to your reply. 

If you don't mind, could you reveal the solution to this case? I am experiencing the exact same issue for something that should be trivial to setup. Any help is appreciated.





I'm afraid there is no standard solution - we investigate each case separately. Please create a support request and share the conf folder, full logs and your certificate. Also, please mention the version number of YouTrack you use. I'm looking forward to your reply.


keytool.exe -v -list -storetype pkcs12 -keystore "location of pfx" -storepass "password for pfx"

There you find aliasname


For me I just couldn't get the keystore UI to get passed that unhelpful error. (This is for trying to use a certificate from my own internal CA.) So I used the PrivateKey/Certificate tab instead and that did work, but it's not easy to get the values that go in those boxes from Windows.

Note that if you use a certificate using JetBrains current instructions it will have no “Subject Alternative Name” (SAN) and will still be rejected by browsers. It also has no friendly name. (It also would be self-signed and not come from your own CA and so not trusted by your browser.)

There are a lot of steps to issuing the certificate in the first place. Hopefully you have that part figured out already in Windows.

Once you have a certificate, export it as a .pfx. But you can't use it directly since YouTrack UI will not accept it for unknown reasons. Instead, I used openssl to export the key and certificate (and certificate “chain” (the CA cert)) separately.

openssl pkcs12 -in <pfxfile> -nocerts -out <encryptedkeyfile>

This exports the key, but you will have to provide the pfx password and then a password for the key. The key is encrypted and the YouTrack UI won't accept an encrypted key file so you need to decrypt it.

openssl rsa -in <encryptedkeyfile> -out <unencryptedkeyfile>

This decrypts the key. (Probably be careful with this file/data since it is the unencrypted private key! But this is what YouTrack wants in the Private Key box.)

openssl pkcs12 -in <pfxfile> -nokeys -out <certfile>

This exports the certificate (chain). In the resulting file you will find your certificate as well as any root certificates (your CA). Copy/paste the first certificate to the certificate box and the second certificate to the certificate chain box.

While the YouTrack UI refused to use the .pfx file, it did accept these values instead.

I'm not sure if it's possible to do this without openssl. It's also possible the above could be simplified, not sure, but this did work.


Please sign in to leave a comment.