Reputation: 3471
keytool error: java.io.IOException: keystore password was incorrect
Created a Certificate for Tomcat, trying to get it installed in new keystore, and getting error (Edit: ran it with -v option, now getting more info):
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:1894)
at sun.security.tools.keytool.Main.doImportKeyStore(Main.java:1926)
at sun.security.tools.keytool.Main.doCommands(Main.java:1021)
at sun.security.tools.keytool.Main.run(Main.java:340)
at sun.security.tools.keytool.Main.main(Main.java:333)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.io.IOException: getSecretKey failed: Password is not ASCII
Sadly, it's correct, the passphrase has two "®". So, given what I've done (the private key has the non-ASCII password), how much of a pain will it be to recover from this?:
1: Create a passphrase file: vi .kp
2: Make CSR:
A: Generate a 2048 bit private key:
openssl genpkey -algorithm RSA -outform PEM -out mike.privateKey.pass.pem -pkeyopt rsa_keygen_bits:2048 -pass file:.kp
B: Make the CSR:
openssl req -new -sha256 -key mike.privateKey.pass.pem -out mike.ike.com.cert.csr
Note: CSR has different "challenge password" than in the passphrase file, if that matters
3: Submit CSR to Comodo
4: Get certificate file mike_ike_com.cer & Comodo trust chain files: COMODORSAOrganizationValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, AddTrustExternalCARoot.crt
5: Convert the Certificates:
A: Convert to PEM:
openssl x509 -inform DER -in COMODORSAOrganizationValidationSecureServerCA.crt -out COMODORSAOrganizationValidationSecureServerCA.pem -outform PEM
openssl x509 -inform DER -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem -outform PEM
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem -outform PEM
B: Concat into a single file:
cat COMODORSAOrganizationValidationSecureServerCA.pem COMODORSAAddTrustCA.pem AddTrustExternalCARoot.pem > Comodo.root.crt
C: Use openssl to create a pkcs12 file:
openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kp -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt
Note: when it asks "Enter Export Password" I give it the pw from .kp
6: Use keytool to create the keystore file:
$JAVA_HOME/bin/keytool -importkeystore -deststorepass:file .kp -destkeypass:file .kp -destkeystore .keystore -srckeystore mike_ike.p12 -srcstoretype PKCS12 -srcstorepass:file .kp -alias tomcat
The file ".keystore" does not exist. I am assuming that keytool will create it
Upvotes: 2
Views: 41214
Answers (6)
Reputation: 1
you just delete old keystore in User/upload_keystore.jsk and then reuse On mac:
keytool -genkey -v -keystore ~/upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload
On Android:
keytool -genkey -v -keystore %userprofile%\upload-keystore.jks -storetype JKS -keyalg RSA -keysize 2048 -validity 10000 -alias upload
Upvotes: 0
Reputation: 536
In our situation the Application Server was not opening the Keystore.p12 that was supplied by the application, but the generated KeyStore.p12 during startup. Both were in different (yet similar) paths but had different passwords.
Upvotes: 0
Reputation: 4243
I would like to add another possible cause:
This error message can be misleading because it also occurs when the keystore is in an unsupported format.
Upvotes: 1
Reputation: 3471
Ok, so I have an answer.
1: I had a non-ASCII character in the password. openssl can handle that, keypass can't.
2: Having created the private key with the non-ASCII password, I'm stuck with it, so I renamed that file .kpkey, and created a new .kp file with a pure ASCII password
3: This required a change to 5:C:
openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kpkey -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt
Note: when it asks "Enter Export Password" I give it the pw from .kp, NOT from .kpkey . The only change is -passin file:.kpkey
Everything else remains the same, and works
Upvotes: 1
Reputation: 3522
I have got this sorted out. I was using my password that is 'password' to update cacerts keystore in JDK while default password for cacerts keystore is 'changeit'
Upvotes: 1
Related Questions
- keytool error Keystore was tampered with, or password was incorrect
- keytool error: java.lang.Exception: Failed to establish chain from reply
- keytool error: java.lang.Exception: Keystore file exists, but is empty
- Tomcat, OpenSSL, SSL error with keytool: Keystore was tampered with, or password was incorrect
- keytool -genkey error: Keystore file does not exist
- keytool : Certificate import gives error message - Keystore was tampered with, or password was incorrect
- keytool import certificate java.util.IllegalFormatConversionException in linux
- java.io.IOException: Invalid keystore format using Tomcat server
- jdk keytool exception while importing my certificate
- Tomcat keystore exception