Reputation: 75
Java keytool : Importing PKCS12 to jks , getting error keystore password was incorrect
I have created PKCS12 file using private key and the public certificate using openssl. I am trying to import the PCKS12, but getting error keystore password was correct. I have added password in the command line argument as below:
openssl pkcs12 -export -in myCert.cer -inkey privatekey.key -out pkcs12.p12 -name somename -password pass:someSecret2022
Then I am using following keytool command :
keytool -importkeystore -srckeystore pkcs12.p12 -srcstoretype pkcs12 -destkeystore some.jks -deststoretype jks -srcstorepass someSecret2022 -deststorepass changeit
I keep getting error
keytool error: java.io.IOException: keystore password was incorrect
On top of that I used the same pcks12.p12 file to import within Windows and it accepts the above password.
I am using zulu 8 java version 1.8.0_322 and openssl version 3.0.3.
Thank you for your help.
Upvotes: 7
Views: 10997
Answers (1)
Reputation: 39000
Dupe "java.io.IOException: keystore password was incorrect" on KeyStore load (which I didn't fully answer). OpenSSL 3.0.x defaults to PBKDF2 with HmacSHA256 for PKCS12 (which earlier OpenSSL didn't) and in some Java versions the standard provider mishandles this scheme, causing it to fail to decrypt the encrypted key and cert; see https://bugs.openjdk.java.net/browse/JDK-8278989 . Options:
Create with OpenSSL 1.1.x (or lower, but that's unsupported)
Create with OpenSSL 3.0.x specifying (improved)
-legacyand optionally-descert-- or else the more detailed (corrected)-certpbe x -keypbe x -macalg sha1where x is one of the non-PBKDF2 algorithms likepbeWithSHA1And3-KeyTripleDES-CBCor the easier-to-type aliasPBE-SHA1-3DES(I'm not sure -macalg is always needed, try omitting if you like)Use Java 11.0.12 or higher, or in 8 use odd-numbered Oracle builds (301,311,321,333) not even-numbered OpenJDK builds (302,312,322)
In any Java use https://www.BouncyCastle.org provider with preference above the Oracle provider(s)
(Re)write the PKCS12 using something other than OpenSSL 3.0.x; for example on my Windows 10 Home if I import to Windows (as you noted you can) and then export from Windows using the default setting Encryption=TripleDES-SHA1 (NOT selecting AES128-SHA256) the result is readable in the affected Java versions. I ass-u-me this will also work in Windows 11. There are almost certainly other methods.
Use something other than keytool to read into a JKS. You can write your own code (and there are numerous StackOverflow questions on this point) or there are many existing programs created by various people who have felt this same need. I like https://keystore-explorer.org as being conveniently packaged and having a nice GUI.
Upvotes: 12
Related Questions
- Java keytool yields "keystore password was incorrect" when trying to import a PKCS12 to JKS
- What causes keytool error "Failed to decrypt safe contents entry"?
- keytool reports a pkcs12 keystore as 'jks'
- How do I import a PKCS12 certificate into a java keystore?
- PKCS12 to JKS conversion failure
- Creating pkcs12 using Java API failes due to error: java.security.KeyStoreException: TrustedCertEntry not supported
- keytool : Certificate import gives error message - Keystore was tampered with, or password was incorrect
- Extract PKCS12 file from Java Keystore while changing the password using keytool
- Unable to import .p12 keystore
- Unable to import .p12 certificate to cacerts