[EXTERNAL] Keytool issue with version 3.0.2.

Mark Hack markhack at markhack.com
Thu May 19 14:18:14 UTC 2022 

I installed java 8 and it seems to work there on the latest versions as
well
 java -versionopenjdk version "1.8.0_312"OpenJDK Runtime Environment
(build 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)OpenJDK 64-Bit Server VM
(build 25.312-b07, mixed mode)

On Thu, 2022-05-19 at 16:02 +0200, Djordje Gavrilovic wrote:
>     Thank you both for your answers! So much! Both of them very
>       helpful. We are stuck with openjdk8 right now...but it is good
> to
>       know that later versions will work as expected.
> 
>       Thank you guys
> 
>     
>     On 19.5.22. 15:41, Mark Hack wrote:
> 
>     
>     
> >       
> >       Works for me and since the later versions of java accept both
> >         JKS and PKCS12 you do not have to specify the input store
> > type.
> >       
> > 
> >       
> >       
> > 
> >       
> >        java --version
> >       openjdk 11.0.15 2022-04-19
> >       OpenJDK Runtime Environment (build
> >         11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
> >       OpenJDK 64-Bit Server VM (build
> >         11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)
> >       
> > 
> >       
> >       
> > 
> >       
> >       keytool -importkeystore -srckeystore
> >           bmstore.pkcs12.pem   -srcstorepass changeit -destkeystore
> >           bmstore.pkcs8.x509.jks  -deststorepass changeit
> >       Importing keystore bmstore.pkcs12.pem to
> >         bmstore.pkcs8.x509.jks...
> >       Entry for alias 1 successfully imported.
> >       Import command completed:  1 entries successfully imported, 0
> >         entries failed or cancelled
> >       
> > 
> >       
> >       Warning:
> >       <1> uses the SHA1withRSA signature algorithm which is
> >         considered a security risk. This algorithm will be disabled
> > in a
> >         future update.
> >       
> > 
> >       
> >       
> > 
> >       
> >       Mark Hack
> >       
> > 
> >       
> >       
> > 
> >       
> >       On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via
> >         openssl-users wrote:
> >       
> > >         
> > >           Bonjour,
> > >           
> > > 
> > >           
> > >           OpenSSL 3 changed the default ciphers used to protect
> > > the
> > >           private keys and certificates when creating a PKCS#12,
> > > to use
> > >           something less aging.
> > >           
> > > 
> > >           
> > >           Try adding a "-legacy" when creating the PKCS#12 file
> > >             with OpenSSL3 and see if keytool can read it.
> > >           
> > > 
> > >           
> > >         
> > >         
> > > 
> > >         
> > >           On Thu, May 19, 2022 at
> > >             11:53 AM Djordje Gavrilovic <gavrilovicmdj at gmail.com>
> > >             wrote:
> > > 
> > >           
> > >           
> > > > Hi guys,
> > > > 
> > > >             I have a following issue with migrating from
> > > > version 1.1.1f
> > > >             to 3.0.2:
> > > > 
> > > >             
> > > > 
> > > >             I generate bmstore.pkcs12.pem file with the
> > > > following
> > > >             commands:
> > > > 
> > > >             
> > > > 
> > > >             ```
> > > > 
> > > >             
> > > > 
> > > >             openssl req -newkey rsa:2048 -sha1 -keyout
> > > > bmstore.pkcs8.pem
> > > >             -nodes 
> > > > 
> > > >             -x509 -days 999 -out bmstore.x509.crt -subj 
> > > > 
> > > >             "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"
> > > > 
> > > >             openssl pkcs12 -export -in bmstore.x509.crt -inkey
> > > >             bmstore.pkcs8.pem 
> > > > 
> > > >             -out bmstore.pkcs12.pem -passin pass:changeit
> > > > -passout
> > > >             pass:changeit
> > > > 
> > > >             ```
> > > > 
> > > >             
> > > > 
> > > >             This file is genearted with different openssl
> > > > versions
> > > >             differently. Both 
> > > > 
> > > >             versions of the file are attached.
> > > > 
> > > >             
> > > > 
> > > >             Based on that file I generate:
> > > > 
> > > >             
> > > > 
> > > >             ```
> > > > 
> > > >             keytool -importkeystore -srckeystore
> > > > bmstore.pkcs12.pem
> > > >             -srcstoretype 
> > > > 
> > > >             PKCS12 -srcstorepass changeit -destkeystore
> > > >             bmstore.pkcs8.x509.jks 
> > > > 
> > > >             -deststorepass changeit
> > > > 
> > > >             ```
> > > > 
> > > >             
> > > > 
> > > >             But keytool works only with the bmstore.pkcs12.pem
> > > > generated
> > > >             with old 
> > > > 
> > > >             version of openssl and creates
> > > > bmstore.pkcs8.x509.jks
> > > > 
> > > >             
> > > > 
> > > >             The current version of openssl generates
> > > > bmstore.pkcs12.pem
> > > >             in another 
> > > > 
> > > >             format and keytool throws an exception:
> > > > 
> > > >             
> > > > 
> > > >             ```
> > > > 
> > > >             Importing keystore bmstore.pkcs12.pem to
> > > >             bmstore.pkcs8.x509.jks...
> > > > 
> > > >             keytool error: java.io.IOException: keystore
> > > > password was
> > > >             incorrect
> > > > 
> > > >             
> > > > 
> > > >             ```
> > > > 
> > > >           
> > > 
> > >         
> > >         
> > > 
> > >         
> > > 
> > >         
> > >       
> > 
> >     
> 
>   
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220519/c4542e20/attachment-0001.htm>

More information about the openssl-users mailing list