Key was created with errors:
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore C:\Users\Ot \ccc.jks -destkeystore C:\Users\Ot\ccc.jks -deststoretype pkcs12".
Related
I have a .pem certificate and a .key certificate file and i have to import them to a .jks keystore together, how do i achieve that?
I've found a soulution which includes exporting the .key and .pem certs to a .p12 file, and then importing that .p12 file to a java keystore (.jks).
To export .pem and .key together to a .p12 use this command:
openssl pkcs12 -export -in <path to .pem cert> -inkey <path to .key cert> -out <desired name of the .p12 file with the extension> -name <cert alias>
Then, import the .p12 to the java keystore with this command:
keytool -importkeystore -v -srckeystore <path to .p12 file> -srcstoretype PKCS12 -destkeystore <path to .jks> -deststoretype JCEKS
I'm trying to import a certificate into AWS, the problem is my private key is not in pem format. I'd rather not have to create a new certificate as I've already had a CA sign mine. I've generated the key using this following command
keytool -genkey -alias info -keyalg RSA -keysize 2048 -keystore info
Which leaves me with a private key in binary format named info. I'm able to use this command to convert the private key into base64 I believe.
openssl rsa -inform DER -outform PEM -in info -out info.pem
The header and footer are missing
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
Which I append to their appropriate locations. Now when I'm attempt to upload my cert, it fails because the private key is not in pem format. AS per other questions regarding binary to pem format, I've tried this command.
openssl rsa -inform der -in info -outform pem -out info.pem
which results in this error "unable to load Private Key
140594255303104:error:0D07207B:asn1 encoding routines:ASN1_get_object:header too long:../crypto/asn1/asn1_lib.c:101:"
How should go about converting a binary key generated from keytool into pem format?
I was able to convert it from jks to pem using these following commands.
keytool -importkeystore -srckeystore info -destkeystore info.p12 -srcalias info -srcstoretype jks -deststoretype pkcs12
openssl pkcs12 -in info.p12 -out info.pem
When I'm trying to convert pfx file, which was generated without password, to jks I get a WARNING WARNING etc... message from keytool, and an error afterwards
When I do the same with an password protected pfx, then everything is fine.
Can anyone suggest what I can do !? maybe a conversion from other formats or using other tools ?
ps. I did also conversion to pem, and pem to jks, but it failed, because it was not an x509 cert.
EDIT
keytool.exe -importkeystore -srckeystore "C:\Users\rodislav.moldovan\Projects
\ceva.pfx" -srcstoretype pkcs12 -destkeystore "C:\Users\rodislav.mol
dovan\Projects\ceva.jks" -deststoretype JKS
Enter destination keystore password: ******
Re-enter new password: ******
Enter source keystore password: // pressed enter, because there is no pass
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************
keytool error: java.security.UnrecoverableKeyException: Get Key failed: null
You can do it by making a p12 keystore first with OpenSSL and then convert it into JKS format with Keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Try to convert it to a p12 with a password before.
openssl pkcs12 -in in.pfx -out out.p12
If you just have a full PFX file that isn't password protected; for instance you downloaded the cert from Azure Key Vault like so:
az keyvault secret download -f mycert.pfx --encoding base64 --vault-name <vault name> --name <certificate name>
Then you can jump through a few hoops to add password protection (got this from here: http://www.1st-setup.nl/wordpress/howto-change-password-on-pfx-certificate-using-openssl/):
openssl pkcs12 -in mycert.pfx -out temppem.pem -nodes
openssl pkcs12 -export -out protectedcert.pfx -in temppem.pem
rm certs/mycert.pfx
rm certs/temppem.pem
Obviously you need to specify a password in the second openssl command to pw-protect the new PFX.
I have the exact problem reported in
Jarsigner: certificate chain not found for
My starting point was a .pem file. My sense is that this does have the private key also. I used the following command to import this into a keystore:
keytool -importcert -alias myalias -file myfile.pem
For "Trust this certificate? [no]", if I choose "no" the import fails. So, I went with "yes". The import does succeed. My
keytool -list
produces output similar to the one listed in Jarsigner: certificate chain not found for.
My sense is that I do have the right certificate bit am not importing this correctly. In other words, I am suspecting that a 'trusted certificate entry' is being created instead of a 'key entry' but don't know how to force keytool to create a 'key entry'.
How can I solve this problem?
Additional Info:
After further work, I am leaning towards exactly the opposite conclusion than the one above. I now think that something is wrong with my pem file. I looked at a previous keystore entry with an expired key. It clearly states PrivateKeyEntry while my import states trustedCertEntry.
You can try to create a pkcs12 from your files that would contain the entire certificate chain. You'll need your public cert and the root CA cert. Command is like this:
openssl pkcs12 -export -inkey file.pem -in file.crt -out file.p12 \
-CAfile root-CA.pem -chain -name mykey
Once you have the entire file.p12 file, you can export the full cert to pem format:
openssl pkcs12 -in file.p12 -out new-cert.pem -nodes -clcerts
Or if you want to export to a Java keystore format that has the entire chain, the command is:
keytool -importkeystore -srcstoretype pkcs12 -srckeystore file.p12 \
-srcstorepass <password> -keystore keystore.jks
I'm trying to convert x.PFX file to x.JKS file using keytool but I am getting following error:
keytool error: java.lang.Exception: Alias <2> does not exist
Actions that preceded this error are:
Listing x.PFX file content (just to read alias name):
keytool -v -list -storetype pkcs12 -keystore x.pfx
Enter keystore password: x
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 2
Creation date: 11-nov-2012
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=x, OU=x, C=x
Issuer: CN=x, O=x, C=x
Serial number: x
Valid from: Wed Oct 24 11:46:10 CEST 2012 until: Fri Dec 13 09:28:40 CET 2013
Certificate fingerprints:
etc.
Converting x.PFX file into x.JKS file using "2" as source alias name
keytool -importkeystore -srckeystore x.pfx -srcstoretype pkcs12 -srcalias 2 -destkeystore x.jks -deststoretype jks -destalias xyz
Enter destination keystore password: y
Re-enter new password: y
Enter source keystore password: x
keytool error: java.lang.Exception: Alias <2> does not exist
I am not sure what I am doing wrong? PFX file contain only one entry with just one alias (2). I also tried using these srcalias values: 2, "2", " 2". Is there any other way to convert PFX into JKS using keytool without knowing source alias name?
I had the exact same problem. I've solved using '1' instead of 2. Don't know why but it worked.
if set alias in pkcs12:
openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -out keystore.p12 -name "myalias"
aftet alias setted successfully:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS -alias myalias
your command should looks a bit more like this
keytool -importkeystore -srckeystore x.pfx -srcstoretype pkcs12 -***alias*** 2 -destkeystore x.jks -deststoretype jks -destalias xyz
Maybe "2" can't be found, because there are whitespaces included (e.g. "2 ")
If you don't wanna change the alias just remove the options -srcalias and -destalias and it will be imported with the original alias.