Reputation: 1195
getting error while trying to convert pfx without password to jks
When I'm trying to convert pfx file, which was generated without password, to jks I get a WARNING WARNING etc... message from keytool, and an error afterwards
When I do the same with an password protected pfx, then everything is fine.
Can anyone suggest what I can do !? maybe a conversion from other formats or using other tools ?
ps. I did also conversion to pem, and pem to jks, but it failed, because it was not an x509 cert.
EDIT
keytool.exe -importkeystore -srckeystore "C:\Users\rodislav.moldovan\Projects
\ceva.pfx" -srcstoretype pkcs12 -destkeystore "C:\Users\rodislav.mol
dovan\Projects\ceva.jks" -deststoretype JKS
Enter destination keystore password: ******
Re-enter new password: ******
Enter source keystore password: // pressed enter, because there is no pass
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************
keytool error: java.security.UnrecoverableKeyException: Get Key failed: null
Upvotes: 4
Views: 8205
Answers (4)
Reputation: 192
In Export a PKCS#12 file without an export password? it is explained that most likely in cases like this you are dealing with with an empty string as a password of PKCS#12 file.
In all known versions of OpenJDK/Keytool it is not possible to use such file in order to eg. use keytool -importkeystore functionality.
If you just have a PKCS#12 file (with .p12 or .pfx extension) file that isn't password protected (empty string) then you should basically need to generate PKCS#12 with same contents, but now with a non-empty password.
Commands below are based on: http://www.1st-setup.nl/wordpress/howto-change-password-on-pfx-certificate-using-openssl
#Display information/confirm that indeed you have PKCS#12 with empty string password
#You need to press 'enter' at `Enter Import Password` as this is file with empty string as password)
#Private key information
openssl pkcs12 -info -in mycert.pfx -nodes -nocerts
#Certificate
openssl pkcs12 -info -in mycert.pfx -nokeys
#CA
openssl pkcs12 -info -in mycert.pfx -nokeys -cacerts
#Export private key, certificate and, optionally CA certificate(s)
openssl pkcs12 -in mycert.pfx -out temppem.pem -nodes
openssl pkcs12 -in mycert.pfx -out tempcert.pem -nokeys
#openssl pkcs12 -in mycert.pfx -out tempcacerts.pem -nokeys -cacerts
#Now create new PKCS#2, make sure to specify a password once prompted, `Enter Export Password`. For example `**test**`
openssl pkcs12 -export -in tempcert.pem -inkey temppem.pem -out protectedcert.pfx
#Now create
#Check if you need `JKS` store or, by default in newer OpenJDK versions, PKCS12
#and check that Keystore pass corresponds to your requirements
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore protectedcert.pfx -srcstoretype pkcs12 -srcstorepass **testpass123** -deststoretype JKS -deststorepass **testkeystorepass**
#Delete temporary files
rm temppem.pem
rm temppem.pem
#Test new PKCS#12 file. It might be that you don't need the original PKCS#12 after you tested Java keystore
rm mycert.pfx
Upvotes: 0
Reputation: 4467
If you just have a full PFX file that isn't password protected; for instance you downloaded the cert from Azure Key Vault like so:
az keyvault secret download -f mycert.pfx --encoding base64 --vault-name <vault name> --name <certificate name>
Then you can jump through a few hoops to add password protection (got this from here: http://www.1st-setup.nl/wordpress/howto-change-password-on-pfx-certificate-using-openssl/):
openssl pkcs12 -in mycert.pfx -out temppem.pem -nodes
openssl pkcs12 -export -out protectedcert.pfx -in temppem.pem
rm certs/mycert.pfx
rm certs/temppem.pem
Obviously you need to specify a password in the second openssl command to pw-protect the new PFX.
Upvotes: 1
Reputation: 767
You can do it by making a p12 keystore first with OpenSSL and then convert it into JKS format with Keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Upvotes: 6
Reputation: 552
Try to convert it to a p12 with a password before.
openssl pkcs12 -in in.pfx -out out.p12
Upvotes: -1
Related Questions
- Signtool error The specificed PFX password is not correct
- How to import x509.pem pk8 file into jks-keystore?
- PFX to JKS keytool conversion: Alias <*> does not exist
- How to convert .pfx file to keystore with private key?
- How can I create a PFX file from a Java Keystore?
- pvk2pfx does not allow me to create a pfx file with an empty private key password
- Import PFX file into Existing JKS file (NOT converting from .pfx to .jks)
- Pvk2Pfx won't use input PVK password for output PFX protection
- issue creating .PFX file using keytool.exe
- Convert java keystore to PFX through java programming