Checking the possibility to store passwords with Java keytool - keytool

In Java 8 the option -importpassword was added to keytool. It works with JKECS storetype:
$ keytool -importpassword -storetype JCEKS -alias alias
Enter the password to be stored:
Re-enter password:
$keytool -list -storetype JCEKS -keypass "" -keystore mystore.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
alias, Apr 7, 2016, SecretKeyEntry,
Trying to extract it, I get the error:
keytool error: java.lang.Exception: Alias <alias> has no certificate
My question is: How do I extract the password?

Looks like the keytool is lacking the capability to extract/export the password imported using the -importpass command. But you can view the password using KeyStore api, using the below code:
KeyStore ks = KeyStore.getInstance("JCEKS");
ks.load(new FileInputStream(new File("KEYSTORE_FILE")), "KEYSTORE_PASSWORD".toCharArray());
SecretKey passwordKey = (SecretKey) ks.getKey("ALIAS", "KEY_PASSWORD".toCharArray());
System.out.println(new String(passwordKey.getEncoded()));

Related

Change Private Key file password with keytool command

I have only one option to change the password of private key file with "keytool" command only.
can you tell how i can change password with keytool command only.
i am getting error while trying to change password of private key file.
keytool -keypasswd -alias user.http.key -new TesP#s434
keytool error: java.lang.Exception: Keystore file does not exist: /root/.keystore

keytool error: java.lang.Exception: Certificate not imported, alias mykey already exists

I am trying to install a client certificate in my JVM to call a https soap service, but when running the
keytool -import command I get the below error:
**
keytool error: java.lang.Exception: Certificate not imported, alias already exists
**
Here is the command I am using, please note I am using Java11
**
C:\Softwares\java-11-openjdk-11.0.7.10-1.windows.redhat.x86_64\lib\security>keytool -import -keystore cacerts -file "C:\Softwares\client.certificate.pfx"
**
Please suggest.
Every entry in the java keystore is identified by a key called alias. It has to be unique for a given keystore. If you don't provide one, the default value the keytool uses is mykey. Looks like there is an entry with mykey already in your keystore. All you have to do is give a name yourself. You can do this using the alias attribute, like this:
keytool -import -keystore cacerts -file "C:\Softwares\client.certificate.pfx" -alias third_party_ca
You can use any name as long as it is unique.

How to Export certificate key to PEM format?

My keystore is deleted, and I try to chat with Google playstore developer and I ask that my keystore app be reset, then they sent instructions like this:
Alternatively, you can use the following command line to generate a
new key:
keytool -genkeypair -alias upload -keyalg RSA -keysize 2048 -validity 9125 -keystore keystore.jks
This key must be a 2048 bit RSA key and have 25-year validity.
Export the certificate for that key to PEM format:
keytool -export -rfc -alias upload -file upload_certificate.pem -keystore keystore.jks
Reply to this email and attach the upload_certificate.pem file.
My question is how to Export the certificate for that key to PEM format?
I try to using keytool.exe in folder C:\Program Files\Android\Android Studio\jre\bin the command prompt keytool.exe can not been write (force close)
keytool is provided in JDK, not JRE. You can install a JDK 1.8 for example and use keytool command from the path C:\Program Files\Java\JDK_1.8\bin\keytool.exe in Windows CMD terminal in Administrator mode(preferably).
The commands you provided are meant to generate a keypair and to export the certificate. So, if you have a proper keytool installed, you can execute your commands successfully and export the certificate.
For exporting certificate, if path not given it will export the ceritificate in bin folder.

delete a cert from a truststore when the alias has unusual characters (?)

Using keytool from the command-line, I added a new cert to a store. But the anger-inducing window manager that I find myself currently stuck with manages to fail at cut-and-paste, and replaced one of the characters of the alias with a ? character. How do I change or delete that alias?
keytool -list -keystore truststore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
hail.ucc.nau.edu:8636-cert-1?, Dec 1, 2017, trustedCertEntry,
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1\?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1\?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1> does not exist
Thanks for any assistance,
- rob.
The special character you are seeing, may not be that actual character as suggested by #Pavel Lechev in the comment. If the keytool delete doesn't work, you can use the KeyStore Explorer software to do it. It has nice GUI providing all the keytool functionalities.
Or you could write a small tool/class using KeyStore api to delete your unwanted alias. You could list out all the aliases, identify it, and delete it (to identify the alias, you could do startsWith()).

Keytool: generate a secret key throws exception

I try to generate a secret key in my *.keystore, but I always get
keytool error: java.io.IOException: Invalid keystore format
java.io.IOException: Invalid keystore format
The command is the following:
keytool -genseckey -keyalg DESede -keysize 168 -v -alias MyTestKey -keystore mykeystore.keystore
storetype: JCEKS
what is wrong?
UPDATE: ok, seems that -storetype jceks helped
is Keytool case sensitive? seems like it is not?
Please check if your keystore is in JKS format. Refer to this link and note case sensitivity.