Reputation: 51
Java keytool yields "keystore password was incorrect" when trying to import a PKCS12 to JKS
I know this issue looks like a known one (many questions on this here), several bugs have been reported on different JDK versions and the situation has been very well summarized in this post: https://stackoverflow.com/a/72501767
I happen to fall in what I think is another case, not yet answered. I must be doing something wrong, but I cannot see what.
I have a certificate and a private key in PEM format, and I want to create a JKS from that. I have read that the JKS format might not be needed anymore, but I do not control that part.
I process the files in command line. Things go like this, nothing special nor esoteric:
openssl pkcs12 -export -in cert.crt -passout pass:changeit -inkey pkey.key -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -srcstorepass changeit -deststorepass changeit -destkeystore keystore.jks
I get:
Importing keystore keystore.p12 to keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
Now, the thing is that I have tried that with many versions of the JDK, and it never succeeds.
Facts:
- the input files are both correct (checked with
openssl x509 -in cert.crt -text -nooutandopenssl rsa -in pkey.key -text -noout) - the generated PKCS12 can be checked with openssl :
openssl pkcs12 -in keystore.p12 -info -noout -passin pass:changeit - Ubuntu 22.04, openssl v3 (
OpenSSL 3.0.2 15 Mar 2022 (Library: OpenSSL 3.0.2 15 Mar 2022)
From that point, I thought I stumbled on the known JDK issue.
I have tried with those versions, all fail with the exact same message:
- openjdk version "11.0.15" 2022-04-19
- openjdk version "17.0.3" 2022-04-19
- openjdk version "18-ea" 2022-03-22
Finally, I could also try with the following combo: openssl 1.1.1n + openjdk 11.0.15, yields same error. All the JDK I have tried are above version 11.0.12.
I am stuck and desperate, have spent far too much time on this. (For the record, I try to set up the bitnami keycloak chart with an existing secret containing PEM certificates, and the container responsible for importing it fails. I have tried to do the same thing manually, and here I am).
Edit:
Thanks dave_thompson_085 for the suggestion. Here is the backtrace of the keytool error:
java.io.IOException: keystore password was incorrect
at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2158)
at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:226)
at java.base/java.security.KeyStore.load(KeyStore.java:1503)
at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2319)
at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1234)
at java.base/sun.security.tools.keytool.Main.run(Main.java:416)
at java.base/sun.security.tools.keytool.Main.main(Main.java:409)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates
and the output of openssl pkcs12 -info:
MAC: sha256, Iteration 2048
MAC length: 32, salt length: 8
PKCS7 Encrypted data: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
Certificate bag
PKCS7 Data
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 2048, PRF hmacWithSHA256
I am going to follow the path shown by that evil-looking java.security.cert.CertificateParsingException: Empty issuer DN not allowed in X509Certificates message...
Upvotes: 3
Views: 11763
Answers (1)
Reputation: 51
Thanks to the comment by @dave_thompson_085, I could use the -J-showversion flag to the keytool -importkeystore command, and get a useful message from that Java tool.
As you can see from the backtrace in my post, the resulting message keystore password was incorrect was the result of a deeper Empty issuer DN not allowed in X509Certificates exception... The error message was very misleading and made me lose time.
My problem came from how the issuer for my keycloak certificate was declared. I have referred to the cert-manager documentation, fixed my issue, and keycloak finally accepted my PEM as input to create a keystore.
Thanks and best regards,
Pierre
Upvotes: 1
Related Questions
- What causes keytool error "Failed to decrypt safe contents entry"?
- keytool reports a pkcs12 keystore as 'jks'
- How do I import a PKCS12 certificate into a java keystore?
- Java keytool : Importing PKCS12 to jks , getting error keystore password was incorrect
- Java keystore failed PKCS12 integrity checking but keytool works
- PKCS12 to JKS conversion failure
- Creating pkcs12 using Java API failes due to error: java.security.KeyStoreException: TrustedCertEntry not supported
- keytool : Certificate import gives error message - Keystore was tampered with, or password was incorrect
- Extract PKCS12 file from Java Keystore while changing the password using keytool
- Unable to import .p12 keystore