[EXTERNAL] Keytool issue with version 3.0.2.
Djordje Gavrilovic
gavrilovicmdj at gmail.com
Thu May 19 14:46:17 UTC 2022
Hm, not working here.
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)
Am I correct, the only thing you changed was leaving out the
-srcstoretype PKCS12 part? Also, you did not use -legacy option on a
previous command?
On 19.5.22. 16:18, Mark Hack wrote:
>
> I installed java 8 and it seems to work there on the latest versions
> as well
>
> java -version
> openjdk version "1.8.0_312"
> OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
> OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)
>
>
> On Thu, 2022-05-19 at 16:02 +0200, Djordje Gavrilovic wrote:
>>
>> Thank you both for your answers! So much! Both of them very helpful.
>> We are stuck with openjdk8 right now...but it is good to know that
>> later versions will work as expected.
>> Thank you guys
>>
>> On 19.5.22. 15:41, Mark Hack wrote:
>>> Works for me and since the later versions of java accept both JKS
>>> and PKCS12 you do not have to specify the input store type.
>>>
>>>
>>> * java --version*
>>> openjdk 11.0.15 2022-04-19
>>> OpenJDK Runtime Environment (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
>>> OpenJDK 64-Bit Server VM (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1,
>>> mixed mode, sharing)
>>>
>>>
>>> *keytool -importkeystore -srckeystore
>>> bmstore.pkcs12.pem -srcstorepass changeit -destkeystore
>>> bmstore.pkcs8.x509.jks -deststorepass changeit*
>>> Importing keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks...
>>> Entry for alias 1 successfully imported.
>>> Import command completed: 1 entries successfully imported, 0
>>> entries failed or cancelled
>>>
>>> Warning:
>>> <1> uses the SHA1withRSA signature algorithm which is considered a
>>> security risk. This algorithm will be disabled in a future update.
>>>
>>>
>>> Mark Hack
>>>
>>>
>>> On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via openssl-users
>>> wrote:
>>>> Bonjour,
>>>>
>>>> OpenSSL 3 changed the default ciphers used to protect the private
>>>> keys and certificates when creating a PKCS#12, to use something
>>>> less aging.
>>>>
>>>> Try adding a "-legacy" when creating the PKCS#12 file with OpenSSL3
>>>> and see if keytool can read it.
>>>>
>>>>
>>>> On Thu, May 19, 2022 at 11:53 AM Djordje Gavrilovic
>>>> <gavrilovicmdj at gmail.com> wrote:
>>>>> Hi guys,
>>>>> I have a following issue with migrating from version 1.1.1f to 3.0.2:
>>>>>
>>>>> I generate bmstore.pkcs12.pem file with the following commands:
>>>>>
>>>>> ```
>>>>>
>>>>> openssl req -newkey rsa:2048 -sha1 -keyout bmstore.pkcs8.pem -nodes
>>>>> -x509 -days 999 -out bmstore.x509.crt -subj
>>>>> "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"
>>>>> openssl pkcs12 -export -in bmstore.x509.crt -inkey bmstore.pkcs8.pem
>>>>> -out bmstore.pkcs12.pem -passin pass:changeit -passout pass:changeit
>>>>> ```
>>>>>
>>>>> This file is genearted with different openssl versions
>>>>> differently. Both
>>>>> versions of the file are attached.
>>>>>
>>>>> Based on that file I generate:
>>>>>
>>>>> ```
>>>>> keytool -importkeystore -srckeystore bmstore.pkcs12.pem -srcstoretype
>>>>> PKCS12 -srcstorepass changeit -destkeystore bmstore.pkcs8.x509.jks
>>>>> -deststorepass changeit
>>>>> ```
>>>>>
>>>>> But keytool works only with the bmstore.pkcs12.pem generated with old
>>>>> version of openssl and creates bmstore.pkcs8.x509.jks
>>>>>
>>>>> The current version of openssl generates bmstore.pkcs12.pem in
>>>>> another
>>>>> format and keytool throws an exception:
>>>>>
>>>>> ```
>>>>> Importing keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks...
>>>>> keytool error: java.io.IOException: keystore password was incorrect
>>>>>
>>>>> ```
>>>>
>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220519/a3fe588d/attachment.htm>
More information about the openssl-users
mailing list