<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>Hm, not working here. <br>
openjdk version "1.8.0_312" <br>
OpenJDK Runtime Environment (build
1.8.0_312-8u312-b07-0ubuntu1-b07) <br>
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode) <br>
<br>
Am I correct, the only thing you changed was leaving out the
-srcstoretype PKCS12 part? Also, you did not use -legacy option on
a previous command?<br>
</p>
<div class="moz-cite-prefix">On 19.5.22. 16:18, Mark Hack wrote:<br>
</div>
<blockquote type="cite"
cite="mid:0fb457f6a151e7d0c891dbeac213e7567590a5fd.camel@markhack.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<div><br>
</div>
<div>I installed java 8 and it seems to work there on the latest
versions as well</div>
<div><br>
</div>
<div> java -version</div>
<div>openjdk version "1.8.0_312"</div>
<div>OpenJDK Runtime Environment (build
1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)</div>
<div>OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)</div>
<div><br>
</div>
<div><br>
</div>
<div>On Thu, 2022-05-19 at 16:02 +0200, Djordje Gavrilovic wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex; border-left:2px
#729fcf solid;padding-left:1ex">
<p>Thank you both for your answers! So much! Both of them very
helpful. We are stuck with openjdk8 right now...but it is good
to know that later versions will work as expected.<br>
Thank you guys<br>
</p>
<div class="moz-cite-prefix">On 19.5.22. 15:41, Mark Hack wrote:<br>
</div>
<blockquote type="cite"
cite="mid:df0dc0ec5c2e23a2184249fd354629635fc29edf.camel@markhack.com"
style="margin:0 0 0 .8ex; border-left:2px #729fcf
solid;padding-left:1ex">
<meta http-equiv="content-type" content="text/html;
charset=UTF-8">
<div>Works for me and since the later versions of java accept
both JKS and PKCS12 you do not have to specify the input
store type.</div>
<div><br>
</div>
<div><br>
</div>
<div><b> java --version</b></div>
<div>openjdk 11.0.15 2022-04-19</div>
<div>OpenJDK Runtime Environment (build
11.0.15+10-Ubuntu-0ubuntu0.20.04.1)</div>
<div>OpenJDK 64-Bit Server VM (build
11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)</div>
<div><br>
</div>
<div><br>
</div>
<div><b>keytool -importkeystore -srckeystore
bmstore.pkcs12.pem -srcstorepass changeit -destkeystore
bmstore.pkcs8.x509.jks -deststorepass changeit</b></div>
<div>Importing keystore bmstore.pkcs12.pem to
bmstore.pkcs8.x509.jks...</div>
<div>Entry for alias 1 successfully imported.</div>
<div>Import command completed: 1 entries successfully
imported, 0 entries failed or cancelled</div>
<div><br>
</div>
<div>Warning:</div>
<div><1> uses the SHA1withRSA signature algorithm which
is considered a security risk. This algorithm will be
disabled in a future update.</div>
<div><br>
</div>
<div><br>
</div>
<div>Mark Hack</div>
<div><br>
</div>
<div><br>
</div>
<div>On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via
openssl-users wrote:</div>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">
<div dir="ltr">
<div>Bonjour,</div>
<div><br>
</div>
OpenSSL 3 changed the default ciphers used to protect the
private keys and certificates when creating a PKCS#12, to
use something less aging.
<div><br>
</div>
<div>Try adding a "-legacy" when creating the PKCS#12 file
with OpenSSL3 and see if keytool can read it.</div>
<div><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Thu, May 19, 2022 at
11:53 AM Djordje Gavrilovic <<a
href="mailto:gavrilovicmdj@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">gavrilovicmdj@gmail.com</a>>
wrote:<br>
</div>
<blockquote type="cite" style="margin:0 0 0 .8ex;
border-left:2px #729fcf solid;padding-left:1ex">Hi guys,<br>
I have a following issue with migrating from version
1.1.1f to 3.0.2:<br>
<br>
I generate bmstore.pkcs12.pem file with the following
commands:<br>
<br>
```<br>
<br>
openssl req -newkey rsa:2048 -sha1 -keyout
bmstore.pkcs8.pem -nodes <br>
-x509 -days 999 -out bmstore.x509.crt -subj <br>
"/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"<br>
openssl pkcs12 -export -in bmstore.x509.crt -inkey
bmstore.pkcs8.pem <br>
-out bmstore.pkcs12.pem -passin pass:changeit -passout
pass:changeit<br>
```<br>
<br>
This file is genearted with different openssl versions
differently. Both <br>
versions of the file are attached.<br>
<br>
Based on that file I generate:<br>
<br>
```<br>
keytool -importkeystore -srckeystore bmstore.pkcs12.pem
-srcstoretype <br>
PKCS12 -srcstorepass changeit -destkeystore
bmstore.pkcs8.x509.jks <br>
-deststorepass changeit<br>
```<br>
<br>
But keytool works only with the bmstore.pkcs12.pem
generated with old <br>
version of openssl and creates bmstore.pkcs8.x509.jks<br>
<br>
The current version of openssl generates
bmstore.pkcs12.pem in another <br>
format and keytool throws an exception:<br>
<br>
```<br>
Importing keystore bmstore.pkcs12.pem to
bmstore.pkcs8.x509.jks...<br>
keytool error: java.io.IOException: keystore password
was incorrect<br>
<br>
```<br>
</blockquote>
</div>
<br clear="all">
<div><br>
</div>
</blockquote>
</blockquote>
</blockquote>
</blockquote>
</body>
</html>