CODEWITHSUNDEEP
javaopenssl
justin3250
justin3250

Reputation: 323

Invalid Keystore Format after creating a keystore and attaching a certificate to it

I am creating a keystore using OpenSSL using the following command :

openssl pkcs12 -export -in mycert.crt -inkey mykey.key \
                        -out mycert.p12 -name tomcat -CAfile myCA.crt \
                        -caname root

as per the documentation.

Now when I try to validate the keystore using keytool -list -v -keystore mycert.p12, I am getting an Invalid Keystore Exception.

Is this because I am using Apache implementation of creating a keystore?

Also a constraint I have is that I cannot use Java keytool to create a keystore although my Java program is using to keystore for FTPS transfer.

Upvotes: 6

Views: 57723

Answers (4)

Daniil
Daniil

Reputation: 11

I used where keytool

to see that I had two keytools:

C:\Program Files\Eclipse Foundation\jdk-8.0.302.8-hotspot\bin\keytool.exe
C:\Program Files\AdoptOpenJDK\jdk-16.0.1.9-hotspot\bin\keytool.exe

In my case I solved it, by specifying the latter one:

"C:\Program Files\AdoptOpenJDK\jdk-16.0.1.9-hotspot\bin\keytool.exe" -list [...]

Upvotes: 1

Mehmet Erdoğdu
Mehmet Erdoğdu

Reputation: 500

I was installed JDK 16. I uninstalled JDK 16 after that I installed JDK 8

jdk1.8.0_281

Thats worked!

Last version using another cyrpto format.

Upvotes: 1

Aleksandar
Aleksandar

Reputation: 4146

I solved this by removing Java 1.7 from my machine. This made the Java 1.8 keytool the only available keytool. Since the Java 1.8 keytool supports pkcs12, the command worked.

Here is how to remove Java 1.7 (on Windows 10 OS):

  • go to Windows Settings => Apps & Features
  • find all apps containing Java 1.7 or Java 7 in their name
  • click on the app name and select Uninstall
  • follow the uninstallation wizard for each of them
  • remove Java 1.7 from PATH

Note: This might be achieved without uninstallation, only by placing the Java 1.8 path in the PATH variable before/above the path of Java 1.7, but I haven't tested this.

Upvotes: 0

npe
npe

Reputation: 15699

Use -storetype pkcs12 option with keytool.

keytool -list -v -keystore mycert.p12 -storetype pkcs12

By default, keytool assumes that the keystore type is JKS and if it's not, keytool fails. If using other keystore files (.p12 in your example), you need to explicitely give a store type using the mentioned method.

Upvotes: 27

Related Questions