I'm trying to create certificate key-store file with command line but it gives me an exception:
c:\Program Files\Java\jre7\bin>keytool.exe -genkey -alias srccodes -keyalg AES -
keystore C:\srccodes.jks -keysize 128
Enter keystore password:
Re-enter new password:
keytool error: java.lang.Exception: Cannot derive signature algorithm
-genkey option is for generating a public key and associated private key, so it only works with asymmetric algorithm (AES is symmetric so you can't use -genkey with it).
Use -genseckey instead. Note also that JKS can not store non public-key pairs, so you must use JCEKS format, to specify this add -storeType JCEKS, finally your command must be:
keytool.exe -genseckey-alias srccodes -keyalg AES -keystore C:\srccodes.jceks -keysize 128 -storeType JCEKS
For more info take a look at: Keytool documentation
Hope this helps,
Related
Using keytool from the command-line, I added a new cert to a store. But the anger-inducing window manager that I find myself currently stuck with manages to fail at cut-and-paste, and replaced one of the characters of the alias with a ? character. How do I change or delete that alias?
keytool -list -keystore truststore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
hail.ucc.nau.edu:8636-cert-1?, Dec 1, 2017, trustedCertEntry,
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1\?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1\?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1> does not exist
Thanks for any assistance,
- rob.
The special character you are seeing, may not be that actual character as suggested by #Pavel Lechev in the comment. If the keytool delete doesn't work, you can use the KeyStore Explorer software to do it. It has nice GUI providing all the keytool functionalities.
Or you could write a small tool/class using KeyStore api to delete your unwanted alias. You could list out all the aliases, identify it, and delete it (to identify the alias, you could do startsWith()).
I try to generate a secret key in my *.keystore, but I always get
keytool error: java.io.IOException: Invalid keystore format
java.io.IOException: Invalid keystore format
The command is the following:
keytool -genseckey -keyalg DESede -keysize 168 -v -alias MyTestKey -keystore mykeystore.keystore
storetype: JCEKS
what is wrong?
UPDATE: ok, seems that -storetype jceks helped
is Keytool case sensitive? seems like it is not?
Please check if your keystore is in JKS format. Refer to this link and note case sensitivity.
Because when I run keytool in cmf.exe fill all fields and keep asking me back
keytool -genkey -v -keystore [keystore_name].keystore -alias [alias_name] -keyalg RSA -keysize 2048 -validity 10000
Do not generate the keystore, after asking if everything is correct, and I put yes becomes responsive again. Because? I'm doing wrong?
Not sure what is going wrong for you. And it works for me.
Try giving all the parameters in one go, like this :
keytool -genkey -v -keystore test.jks -alias test
-keyalg RSA -keysize 2048 -validity 10000 -storepass test-keypass test-dname "CN=test.com,OU=Test,O=Test,L=Test,S=Test,C=Test"
This should store the keystore without prompting for confirmation.
I had the same issue, and I realized that it was because of my OS language (I have spanish by default), so when I answered with "si" it worked
I wanted to create a certificate into a PKCS12 keystore format with keytool program.
The keystore has extension .pfx.
How do I achieve this?
If the keystore is PKCS12 type (.pfx) you have to specify it with -storetype PKCS12 (line breaks added for readability):
keytool -genkey -alias <desired certificate alias>
-keystore <path to keystore.pfx>
-storetype PKCS12
-keyalg RSA
-storepass <password>
-validity 730
-keysize 2048
Additional answer to the key of the question.
With JDK 8 (1.8.0_121-b13) you don't get an exception if you remove -storetype pkcs12 but the keytool creates a JKS keystore instead, and the .pfx extension is ignored.
It also asks for a -keypass mykeypassword which the keytool doesn't support for PKCS12.
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -keystore keystore.pfx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Generating keypair (Type EC, 256 Bit) and self-signed certificate (SHA256withECDSA) with a validity of 365 days
for: CN=CN, OU=OU, O=O, C=C
[keystore.pfx saved]
List the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pfx -storepass mystorepassword
(translated)
Keystore-Type: JKS
Keystore-Provider: SUN
Keystore contains 1 entry.
mykey, 25.04.2017, PrivateKeyEntry,
Certificate-Fingerprint (SHA1): A1:6C:5F:8F:43:37:1A:B6:43:69:08:DE:6B:B9:4D:DB:05:C9:D5:84
You see it's a Java keystore.
The next problem is, that even if you specify -storetype pkcs12 when you -list the keystore, the keytool will still display the store as a JKS keystore!
Let's try that:
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -storetype pkcs12 -keystore keystore.pkx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Warning: No support for different keystore and key password for PKCS12 keystores. The value of -keypass will be ignored.
Generating keypair (Type EC, 256 Bit) and self signed certificate (SHA256withECDSA) with a validity of 365 Days
für: CN=CN, OU=OU, O=O, C=C
[keystore.pkx saved]
Now list the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pkx -storepass mystorepassword
(translated)
Keystore-Type: JKS // ??
Keystore-Provider: SUN
Keystore contains 1 entry
mykey, 25.04.2017, PrivateKeyEntry,
Certificate Fingerprint (SHA1): EA:C2:36:C6:55:69:CB:32:22:C7:14:83:67:47:D2:7E:06:8E:13:14
I used the -validity property of the keytool to generate a keystore and self sign a jar. During the process, I saw the debug message that says
[info] Warning:
[info] This jar contains entries whose signer certificate will expire within six
months.
I am using the following commands,
keytool -genkey -alias signFiles -keypass mypass -keystore mystore -storepass mypass-alias store -validity 365
keytool -selfcert -keystore mystore -alias store
Am I doing something wrong here? Actually I wanted to sign the jar with a certificate for 1 year.
Cheers,
J
Add -validity 365 to your -selfcert command.