ForgeRock Identity Platform
Does not apply to Identity Cloud

Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)

Last updated Jan 12, 2023

The purpose of this article is to provide assistance if you receive an "Internal Server Error" response to the jwk_uri or the well-known OAuth2 endpoints in AM after making changes to the keystore. You will also see the following error in the logs: "Unable to retrieve certificate with alias 'test' from keystore". This issue also occurs when IDM is integrated with AM with a "Cannot find resolver for issuer" error.


For calls made to the jwk_uri endpoint or the well-known endpoint, for example:

  • GET
  • GET

You will receive the following response (or possibly an empty response):

{"error":"server_error","error_description":"Internal Server Error"}

The following error is shown in the OAuth2Provider debug log (warning or message level) when this happens:

OAuth2Provider:03/08/2018 10:22:57:121 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034] WARNING: Unhandled exception: Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request Internal Server Error (500) - The server encountered an unexpected condition which prevented it from fulfilling the request at org.restlet.resource.ServerResource.doHandle( at org.restlet.resource.ServerResource.get( at org.restlet.resource.ServerResource.doHandle( ... at java.util.concurrent.ThreadPoolExecutor$ at Caused by: java.lang.NullPointerException at org.forgerock.oauth2.core.AgentOAuth2ProviderSettings.getJWKSet( at org.forgerock.openidconnect.restlet.OpenIDConnectJWKEndpoint.getJWKSet( ...

An error similar to the following is shown in the CoreSystem debug log at the same time:

amSecurity:03/08/2018 10:22:57:116 AM MDT: Thread[tomcat-http--22,5,main]: TransactionId[269d260b-ebd3-4014-b6f0-13eaa880161f-1034] ERROR: Unable to retrieve certificate with alias 'test' from keystore '/path/to/am/keystore.jks'

IDM/AM integration

If you have integrated IDM with AM, you will see the following error in the IDM log when this happens:

Caused by: org.forgerock.oauth.OAuthException: Cannot find resolver for issuer at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$getJwtClaimsSet$3( at java.util.Optional.orElseThrow( at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.getJwtClaimsSet( at org.forgerock.oauth.clients.oidc.OpenIDConnectClient.lambda$validateNonce$0( ...

Recent Changes

Upgraded AM.

Created a new keystore.

Changed the default key alias (called test).


There is a signing key alias used by the Agents, which defaults to test. If you have changed your keystore and/or the default key alias without updating this key alias, you will see this error.


This issue can be resolved by updating the key alias used by Agents as detailed in the documentation:

Note that the process has changed between AM 6 and AM 6.5.

You should double-check you have updated the key alias in all the places noted in the documentation: Changing Default Key Aliases.

See Also

Cannot recover key error shown when renewing expired certificates or changing the password for the keystore or truststore in AM (All versions)

How do I update the certificate alias for the signing key in the AM (All versions) keystore?

How does the OIDC authorization flow work when IDM (All versions) is integrated with AM?

OAuth2 Provider

Related Training


Related Issue Tracker IDs


Copyright and Trademarks Copyright © 2023 ForgeRock, all rights reserved.