Re: [EXTERNAL] Keytool issue with version 3.0.2.

Mark Hack <markhack@xxxxxxxxxxxx> · Thu, 19 May 2022 09:18:14 -0500



I installed java 8 and it seems to work there on the latest versions as well

 java -version
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)


On Thu, 2022-05-19 at 16:02 +0200, Djordje Gavrilovic wrote:

    Thank you both for your answers! So much! Both of them very
      helpful. We are stuck with openjdk8 right now...but it is good to
      know that later versions will work as expected.

      Thank you guys

    
    On 19.5.22. 15:41, Mark Hack wrote:

    
      Works for me and since the later versions of java accept both
        JKS and PKCS12 you do not have to specify the input store type.
      

       java --version
      openjdk 11.0.15 2022-04-19
      OpenJDK Runtime Environment (build
        11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
      OpenJDK 64-Bit Server VM (build
        11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)
      

      keytool -importkeystore -srckeystore
          bmstore.pkcs12.pem   -srcstorepass changeit -destkeystore
          bmstore.pkcs8.x509.jks  -deststorepass changeit
      Importing keystore bmstore.pkcs12.pem to
        bmstore.pkcs8.x509.jks...
      Entry for alias 1 successfully imported.
      Import command completed:  1 entries successfully imported, 0
        entries failed or cancelled
      

      Warning:
      <1> uses the SHA1withRSA signature algorithm which is
        considered a security risk. This algorithm will be disabled in a
        future update.
      

      Mark Hack
      

      On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via
        openssl-users wrote:
      
        
          Bonjour,
          

          OpenSSL 3 changed the default ciphers used to protect the
          private keys and certificates when creating a PKCS#12, to use
          something less aging.
          

          Try adding a "-legacy" when creating the PKCS#12 file
            with OpenSSL3 and see if keytool can read it.
          

          On Thu, May 19, 2022 at
            11:53 AM Djordje Gavrilovic <gavrilovicmdj@xxxxxxxxx>
            wrote:

          
          Hi guys,

            I have a following issue with migrating from version 1.1.1f
            to 3.0.2:

            
            I generate bmstore.pkcs12.pem file with the following
            commands:

            
            ```

            
            openssl req -newkey rsa:2048 -sha1 -keyout bmstore.pkcs8.pem
            -nodes 

            -x509 -days 999 -out bmstore.x509.crt -subj 

            "/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"

            openssl pkcs12 -export -in bmstore.x509.crt -inkey
            bmstore.pkcs8.pem 

            -out bmstore.pkcs12.pem -passin pass:changeit -passout
            pass:changeit

            ```

            
            This file is genearted with different openssl versions
            differently. Both 

            versions of the file are attached.

            
            Based on that file I generate:

            
            ```

            keytool -importkeystore -srckeystore bmstore.pkcs12.pem
            -srcstoretype 

            PKCS12 -srcstorepass changeit -destkeystore
            bmstore.pkcs8.x509.jks 

            -deststorepass changeit

            ```

            
            But keytool works only with the bmstore.pkcs12.pem generated
            with old 

            version of openssl and creates bmstore.pkcs8.x509.jks

            
            The current version of openssl generates bmstore.pkcs12.pem
            in another 

            format and keytool throws an exception:

            
            ```

            Importing keystore bmstore.pkcs12.pem to
            bmstore.pkcs8.x509.jks...

            keytool error: java.io.IOException: keystore password was
            incorrect

            
            ```