Re: [EXTERNAL] Keytool issue with version 3.0.2.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hm, not working here.
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)

Am I correct, the only thing you changed was leaving out the -srcstoretype PKCS12 part? Also, you did not use -legacy option on a previous command?

On 19.5.22. 16:18, Mark Hack wrote:

I installed java 8 and it seems to work there on the latest versions as well

 java -version
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (build 1.8.0_312-8u312-b07-0ubuntu1~20.04-b07)
OpenJDK 64-Bit Server VM (build 25.312-b07, mixed mode)


On Thu, 2022-05-19 at 16:02 +0200, Djordje Gavrilovic wrote:

Thank you both for your answers! So much! Both of them very helpful. We are stuck with openjdk8 right now...but it is good to know that later versions will work as expected.
Thank you guys

On 19.5.22. 15:41, Mark Hack wrote:
Works for me and since the later versions of java accept both JKS and PKCS12 you do not have to specify the input store type.


 java --version
openjdk 11.0.15 2022-04-19
OpenJDK Runtime Environment (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1)
OpenJDK 64-Bit Server VM (build 11.0.15+10-Ubuntu-0ubuntu0.20.04.1, mixed mode, sharing)


keytool -importkeystore -srckeystore bmstore.pkcs12.pem   -srcstorepass changeit -destkeystore bmstore.pkcs8.x509.jks  -deststorepass changeit
Importing keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks...
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
<1> uses the SHA1withRSA signature algorithm which is considered a security risk. This algorithm will be disabled in a future update.


Mark Hack


On Thu, 2022-05-19 at 12:13 +0200, Erwann Abalea via openssl-users wrote:
Bonjour,

OpenSSL 3 changed the default ciphers used to protect the private keys and certificates when creating a PKCS#12, to use something less aging.

Try adding a "-legacy" when creating the PKCS#12 file with OpenSSL3 and see if keytool can read it.


On Thu, May 19, 2022 at 11:53 AM Djordje Gavrilovic <gavrilovicmdj@xxxxxxxxx> wrote:
Hi guys,
I have a following issue with migrating from version 1.1.1f to 3.0.2:

I generate bmstore.pkcs12.pem file with the following commands:

```

openssl req -newkey rsa:2048 -sha1 -keyout bmstore.pkcs8.pem -nodes
-x509 -days 999 -out bmstore.x509.crt -subj
"/C=DE/ST=Nsk/L=Nsk/O=BM/OU=BM/CN=AS"
openssl pkcs12 -export -in bmstore.x509.crt -inkey bmstore.pkcs8.pem
-out bmstore.pkcs12.pem -passin pass:changeit -passout pass:changeit
```

This file is genearted with different openssl versions differently. Both
versions of the file are attached.

Based on that file I generate:

```
keytool -importkeystore -srckeystore bmstore.pkcs12.pem -srcstoretype
PKCS12 -srcstorepass changeit -destkeystore bmstore.pkcs8.x509.jks
-deststorepass changeit
```

But keytool works only with the bmstore.pkcs12.pem generated with old
version of openssl and creates bmstore.pkcs8.x509.jks

The current version of openssl generates bmstore.pkcs12.pem in another
format and keytool throws an exception:

```
Importing keystore bmstore.pkcs12.pem to bmstore.pkcs8.x509.jks...
keytool error: java.io.IOException: keystore password was incorrect

```



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux