[EXTERNAL] Keytool issue with version 3.0.2.

Erwann Abalea erwann.abalea at docusign.com
Thu May 19 10:13:32 UTC 2022


Bonjour,

OpenSSL 3 changed the default ciphers used to protect the private keys and
certificates when creating a PKCS#12, to use something less aging.

Try adding a "-legacy" when creating the PKCS#12 file with OpenSSL3 and see
if keytool can read it.


On Thu, May 19, 2022 at 11:53 AM Djordje Gavrilovic <gavrilovicmdj at gmail.com>
wrote:

> Hi guys,
> I have a following issue with migrating from version 1.1.1f to 3.0.2:
>
> I generate bmstore.pkcs12.pem file with the following commands:
>
> ```
>
> openssl req -newkey rsa:2048 -sha1 -keyout bmstore.pkcs8.pem -nodes
> -x509 -days 999 -out bmstore.x509.crt -subj
> "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"
> openssl pkcs12 -export -in bmstore.x509.crt -inkey bmstore.pkcs8.pem
> -out bmstore.pkcs12.pem -passin pass:changeit -passout pass:changeit
> ```
>
> This file is genearted with different openssl versions differently. Both
> versions of the file are attached.
>
> Based on that file I generate:
>
> ```
> keytool -importkeystore -srckeystore bmstore.pkcs12.pem -srcstoretype
> PKCS12 -srcstorepass changeit -destkeystore bmstore.pkcs8.x509.jks
> -deststorepass changeit
> ```
>
> But keytool works only with the bmstore.pkcs12.pem generated with old
> version of openssl and creates bmstore.pkcs8.x509.jks
>
> The current version of openssl generates bmstore.pkcs12.pem in another
> format and keytool throws an exception:
>
> ```
> Importing keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks...
> keytool error: java.io.IOException: keystore password was incorrect
>
> ```
>


-- 
Cordialement,
Erwann Abalea.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220519/4758ce57/attachment.htm>


More information about the openssl-users mailing list