如何使用 Tomcat 5.5 更新 SSL 证书

我的客户正在运行 Tomcat 5.5 并使用 SSL。他们的证书即将过期，他们已经购买了续订。他们给了我一个 .cer 文件并要求我更新 Tomcat。

现有的 server.xml 包含以下连接器：

<Connector port="443" maxHttpHeaderSize="8192"
           maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="companyname.keystore" keyAlias="tomcat2" />

我跑了%JAVA_HOME%\bin\keytool -list -keystore companyname.keystore

Keystore type: jks
Keystore provider: SUN

Your keystore contains 3 entries

root, Aug 7, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
tomcat, Jun 12, 2007, keyEntry,
Certificate fingerprint (MD5): 33:80:6F:75:5A:B4:BC:C7:7A:7D:4F:3F:FA:C0:95:2F
tomcat2, Jun 14, 2008, keyEntry,
Certificate fingerprint (MD5): 0A:9B:73:6A:EE:2F:18:99:61:49:28:F3:CD:1E:DF:96

如果我删除别名为“tomcat”的条目，SSL 仍然有效。我假设这是之前过期证书的产物。

%JAVA_HOME%\bin\keytool -import -keystore 公司名称.keystore -alias tomcat3 -file 2009cert.cer

我更新了 server.xml 以将 keyAlias 设置为 tomcat3。当我重新启动 Tomcat 时，我在日志中看到以下内容：

SEVERE: Error initializing endpoint
java.io.IOException: Alias name tomcat3 does not identify a key entry
    at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
    (etc.)

当我重新运行 keytool -list 命令时：

Keystore type: jks
Keystore provider: SUN

Your keystore contains 4 entries

root, Aug 7, 2007, trustedCertEntry,
Certificate fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
tomcat, Jun 12, 2007, keyEntry,
Certificate fingerprint (MD5): 33:80:6F:75:5A:B4:BC:C7:7A:7D:4F:3F:FA:C0:95:2F
tomcat3, Jul 21, 2009, trustedCertEntry,
Certificate fingerprint (MD5): 8E:9F:F9:52:7B:07:B1:DB:BF:F3:96:BD:5F:49:2E:9F
tomcat2, Jun 14, 2008, keyEntry,
Certificate fingerprint (MD5): 0A:9B:73:6A:EE:2F:18:99:61:49:28:F3:CD:1E:DF:96

这是否与 tomcat3 条目被标记为“trustedCertEntry”而不是“keyEntry”有关？

我究竟做错了什么？