[EXTERNAL] Keytool issue with version 3.0.2.

Mark Hack markhack at markhack.com
Thu May 19 13:41:03 UTC 2022


Works for me and since the later versions of java accept both JKS and
PKCS12 you do not have to specify the input store type.

 java --versionopenjdk 11.0.15 2022-04-19OpenJDK Runtime Environment
(build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)OpenJDK 64-Bit Server VM
(build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)

keytool -importkeystore -srckeystore bmstore.pkcs12.pem   -srcstorepass 
changeit -destkeystore bmstore.pkcs8.x509.jks  -deststorepass
changeitImporting keystore bmstore.pkcs12.pem to
bmstore.pkcs8.x509.jks...Entry for alias 1 successfully imported.Import
command completed:  1 entries successfully imported, 0 entries failed
or cancelled
Warning:<1> uses the SHA1withRSA signature algorithm which is
considered a security risk. This algorithm will be disabled in a future
update.

Mark Hack

On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via openssl-users
wrote:
> Bonjour,
> 
> OpenSSL 3 changed the default ciphers used to protect the private
> keys and certificates when creating a PKCS#12, to use something less
> aging.
> Try adding a "-legacy" when creating the PKCS#12 file with OpenSSL3
> and see if keytool can read it.
> 
> 
> 
> On Thu, May 19, 2022 at 11:53 AM Djordje Gavrilovic <
> gavrilovicmdj at gmail.com> wrote:
> > Hi guys,
> > 
> > I have a following issue with migrating from version 1.1.1f to
> > 3.0.2:
> > 
> > 
> > 
> > I generate bmstore.pkcs12.pem file with the following commands:
> > 
> > 
> > 
> > ```
> > 
> > 
> > 
> > openssl req -newkey rsa:2048 -sha1 -keyout bmstore.pkcs8.pem
> > -nodes 
> > 
> > -x509 -days 999 -out bmstore.x509.crt -subj 
> > 
> > "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"
> > 
> > openssl pkcs12 -export -in bmstore.x509.crt -inkey
> > bmstore.pkcs8.pem 
> > 
> > -out bmstore.pkcs12.pem -passin pass:changeit -passout
> > pass:changeit
> > 
> > ```
> > 
> > 
> > 
> > This file is genearted with different openssl versions differently.
> > Both 
> > 
> > versions of the file are attached.
> > 
> > 
> > 
> > Based on that file I generate:
> > 
> > 
> > 
> > ```
> > 
> > keytool -importkeystore -srckeystore bmstore.pkcs12.pem
> > -srcstoretype 
> > 
> > PKCS12 -srcstorepass changeit -destkeystore bmstore.pkcs8.x509.jks 
> > 
> > -deststorepass changeit
> > 
> > ```
> > 
> > 
> > 
> > But keytool works only with the bmstore.pkcs12.pem generated with
> > old 
> > 
> > version of openssl and creates bmstore.pkcs8.x509.jks
> > 
> > 
> > 
> > The current version of openssl generates bmstore.pkcs12.pem in
> > another 
> > 
> > format and keytool throws an exception:
> > 
> > 
> > 
> > ```
> > 
> > Importing keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks...
> > 
> > keytool error: java.io.IOException: keystore password was incorrect
> > 
> > 
> > 
> > ```
> > 
> 
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220519/041fc1f5/attachment.htm>


More information about the openssl-users mailing list