[EXTERNAL] Keytool issue with version 3.0.2.
Mark Hack
markhack at markhack.com
Thu May 19 16:21:08 UTC 2022
I may have a mixed Java environment. I will recheck on a clean VM when
I get a few minutes.
Regards
Mark Hack
On Thu, 2022-05-19 at 16:46 +0200, Djordje Gavrilovic wrote:
> Hm, not working here.
>
> openjdk version "1.8.0_312"
>
> OpenJDK Runtime Environment (build
> 1.8.0_312-8u312-b07-0ubuntu1-b07)
>
> OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)
>
>
>
> Am I correct, the only thing you changed was leaving out the
> -srcstoretype PKCS12 part? Also, you did not use -legacy option
> on
> a previous command?
>
>
> On 19.5.22. 16:18, Mark Hack wrote:
>
>
>
> >
> >
> >
> >
> > I installed java 8 and it seems to work there on the latest
> > versions as well
> >
> >
> >
> > java -version
> > openjdk version "1.8.0_312"
> > OpenJDK Runtime Environment (build
> > 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
> > OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)
> >
> >
> >
> >
> >
> >
> > On Thu, 2022-05-19 at 16:02 +0200, Djordje Gavrilovic wrote:
> >
> > > Thank you both for your answers! So much! Both of them
> > > very
> > > helpful. We are stuck with openjdk8 right now...but it
> > > is good
> > > to know that later versions will work as expected.
> > >
> > > Thank you guys
> > >
> > >
> > > On 19.5.22. 15:41, Mark Hack wrote:
> > >
> > >
> > >
> > > >
> > > > Works for me and since the later versions of java
> > > > accept
> > > > both JKS and PKCS12 you do not have to specify the
> > > > input
> > > > store type.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > java --version
> > > > openjdk 11.0.15 2022-04-19
> > > > OpenJDK Runtime Environment (build
> > > > 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
> > > > OpenJDK 64-Bit Server VM (build
> > > > 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode,
> > > > sharing)
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > keytool -importkeystore -srckeystore
> > > > bmstore.pkcs12.pem -srcstorepass changeit
> > > > -destkeystore
> > > > bmstore.pkcs8.x509.jks -deststorepass changeit
> > > > Importing keystore bmstore.pkcs12.pem to
> > > > bmstore.pkcs8.x509.jks...
> > > > Entry for alias 1 successfully imported.
> > > > Import command completed: 1 entries successfully
> > > > imported, 0 entries failed or cancelled
> > > >
> > > >
> > > >
> > > > Warning:
> > > > <1> uses the SHA1withRSA signature algorithm which
> > > > is considered a security risk. This algorithm will
> > > > be
> > > > disabled in a future update.
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > Mark Hack
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via
> > > > openssl-users wrote:
> > > >
> > > > >
> > > > > Bonjour,
> > > > >
> > > > >
> > > > >
> > > > > OpenSSL 3 changed the default ciphers used to
> > > > > protect the
> > > > > private keys and certificates when creating a
> > > > > PKCS#12, to
> > > > > use something less aging.
> > > > >
> > > > >
> > > > >
> > > > > Try adding a "-legacy" when creating the
> > > > > PKCS#12 file
> > > > > with OpenSSL3 and see if keytool can read it.
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Thu, May 19, 2022 at
> > > > > 11:53 AM Djordje Gavrilovic <
> > > > > gavrilovicmdj at gmail.com>
> > > > > wrote:
> > > > >
> > > > >
> > > > >
> > > > > > Hi guys,
> > > > > >
> > > > > > I have a following issue with migrating
> > > > > > from version
> > > > > > 1.1.1f to 3.0.2:
> > > > > >
> > > > > >
> > > > > >
> > > > > > I generate bmstore.pkcs12.pem file with the
> > > > > > following
> > > > > > commands:
> > > > > >
> > > > > >
> > > > > >
> > > > > > ```
> > > > > >
> > > > > >
> > > > > >
> > > > > > openssl req -newkey rsa:2048 -sha1 -keyout
> > > > > > bmstore.pkcs8.pem -nodes
> > > > > >
> > > > > > -x509 -days 999 -out bmstore.x509.crt
> > > > > > -subj
> > > > > >
> > > > > > "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"
> > > > > >
> > > > > > openssl pkcs12 -export -in bmstore.x509.crt
> > > > > > -inkey
> > > > > > bmstore.pkcs8.pem
> > > > > >
> > > > > > -out bmstore.pkcs12.pem -passin
> > > > > > pass:changeit -passout
> > > > > > pass:changeit
> > > > > >
> > > > > > ```
> > > > > >
> > > > > >
> > > > > >
> > > > > > This file is genearted with different
> > > > > > openssl versions
> > > > > > differently. Both
> > > > > >
> > > > > > versions of the file are attached.
> > > > > >
> > > > > >
> > > > > >
> > > > > > Based on that file I generate:
> > > > > >
> > > > > >
> > > > > >
> > > > > > ```
> > > > > >
> > > > > > keytool -importkeystore -srckeystore
> > > > > > bmstore.pkcs12.pem
> > > > > > -srcstoretype
> > > > > >
> > > > > > PKCS12 -srcstorepass changeit -destkeystore
> > > > > > bmstore.pkcs8.x509.jks
> > > > > >
> > > > > > -deststorepass changeit
> > > > > >
> > > > > > ```
> > > > > >
> > > > > >
> > > > > >
> > > > > > But keytool works only with the
> > > > > > bmstore.pkcs12.pem
> > > > > > generated with old
> > > > > >
> > > > > > version of openssl and creates
> > > > > > bmstore.pkcs8.x509.jks
> > > > > >
> > > > > >
> > > > > >
> > > > > > The current version of openssl generates
> > > > > > bmstore.pkcs12.pem in another
> > > > > >
> > > > > > format and keytool throws an exception:
> > > > > >
> > > > > >
> > > > > >
> > > > > > ```
> > > > > >
> > > > > > Importing keystore bmstore.pkcs12.pem to
> > > > > > bmstore.pkcs8.x509.jks...
> > > > > >
> > > > > > keytool error: java.io.IOException:
> > > > > > keystore password
> > > > > > was incorrect
> > > > > >
> > > > > >
> > > > > >
> > > > > > ```
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220519/19d86e09/attachment-0001.htm>
More information about the openssl-users
mailing list