PFX to JKS keytool conversion: Alias <*> does not exist - certificate

I'm trying to convert x.PFX file to x.JKS file using keytool but I am getting following error:
keytool error: java.lang.Exception: Alias <2> does not exist
Actions that preceded this error are:
Listing x.PFX file content (just to read alias name):
keytool -v -list -storetype pkcs12 -keystore x.pfx
Enter keystore password: x
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: 2
Creation date: 11-nov-2012
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=x, OU=x, C=x
Issuer: CN=x, O=x, C=x
Serial number: x
Valid from: Wed Oct 24 11:46:10 CEST 2012 until: Fri Dec 13 09:28:40 CET 2013
Certificate fingerprints:
etc.
Converting x.PFX file into x.JKS file using "2" as source alias name
keytool -importkeystore -srckeystore x.pfx -srcstoretype pkcs12 -srcalias 2 -destkeystore x.jks -deststoretype jks -destalias xyz
Enter destination keystore password: y
Re-enter new password: y
Enter source keystore password: x
keytool error: java.lang.Exception: Alias <2> does not exist
I am not sure what I am doing wrong? PFX file contain only one entry with just one alias (2). I also tried using these srcalias values: 2, "2", " 2". Is there any other way to convert PFX into JKS using keytool without knowing source alias name?

I had the exact same problem. I've solved using '1' instead of 2. Don't know why but it worked.

if set alias in pkcs12:
openssl pkcs12 -export -in certificate.pem -inkey private_key.pem -out keystore.p12 -name "myalias"
aftet alias setted successfully:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS -alias myalias

your command should looks a bit more like this
keytool -importkeystore -srckeystore x.pfx -srcstoretype pkcs12 -***alias*** 2 -destkeystore x.jks -deststoretype jks -destalias xyz

Maybe "2" can't be found, because there are whitespaces included (e.g. "2 ")
If you don't wanna change the alias just remove the options -srcalias and -destalias and it will be imported with the original alias.

Related

delete a cert from a truststore when the alias has unusual characters (?)

Using keytool from the command-line, I added a new cert to a store. But the anger-inducing window manager that I find myself currently stuck with manages to fail at cut-and-paste, and replaced one of the characters of the alias with a ? character. How do I change or delete that alias?
keytool -list -keystore truststore
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 4 entries
hail.ucc.nau.edu:8636-cert-1?, Dec 1, 2017, trustedCertEntry,
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1\?'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1\?> does not exist
.....
keytool -delete -keystore truststore -alias 'hail.ucc.nau.edu:8636-cert-1'
Enter keystore password:
keytool error: java.lang.Exception: Alias <hail.ucc.nau.edu:8636-cert-1> does not exist
Thanks for any assistance,
- rob.
The special character you are seeing, may not be that actual character as suggested by #Pavel Lechev in the comment. If the keytool delete doesn't work, you can use the KeyStore Explorer software to do it. It has nice GUI providing all the keytool functionalities.
Or you could write a small tool/class using KeyStore api to delete your unwanted alias. You could list out all the aliases, identify it, and delete it (to identify the alias, you could do startsWith()).

Checking the possibility to store passwords with Java keytool

In Java 8 the option -importpassword was added to keytool. It works with JKECS storetype:
$ keytool -importpassword -storetype JCEKS -alias alias
Enter the password to be stored:
Re-enter password:
$keytool -list -storetype JCEKS -keypass "" -keystore mystore.jceks
Keystore type: JCEKS
Keystore provider: SunJCE
Your keystore contains 1 entry
alias, Apr 7, 2016, SecretKeyEntry,
Trying to extract it, I get the error:
keytool error: java.lang.Exception: Alias <alias> has no certificate
My question is: How do I extract the password?
Looks like the keytool is lacking the capability to extract/export the password imported using the -importpass command. But you can view the password using KeyStore api, using the below code:
KeyStore ks = KeyStore.getInstance("JCEKS");
ks.load(new FileInputStream(new File("KEYSTORE_FILE")), "KEYSTORE_PASSWORD".toCharArray());
SecretKey passwordKey = (SecretKey) ks.getKey("ALIAS", "KEY_PASSWORD".toCharArray());
System.out.println(new String(passwordKey.getEncoded()));

getting error while trying to convert pfx without password to jks

When I'm trying to convert pfx file, which was generated without password, to jks I get a WARNING WARNING etc... message from keytool, and an error afterwards
When I do the same with an password protected pfx, then everything is fine.
Can anyone suggest what I can do !? maybe a conversion from other formats or using other tools ?
ps. I did also conversion to pem, and pem to jks, but it failed, because it was not an x509 cert.
EDIT
keytool.exe -importkeystore -srckeystore "C:\Users\rodislav.moldovan\Projects
\ceva.pfx" -srcstoretype pkcs12 -destkeystore "C:\Users\rodislav.mol
dovan\Projects\ceva.jks" -deststoretype JKS
Enter destination keystore password: ******
Re-enter new password: ******
Enter source keystore password: // pressed enter, because there is no pass
***************** WARNING WARNING WARNING *****************
* The integrity of the information stored in the srckeystore*
* has NOT been verified! In order to verify its integrity, *
* you must provide the srckeystore password. *
***************** WARNING WARNING WARNING *****************
keytool error: java.security.UnrecoverableKeyException: Get Key failed: null
You can do it by making a p12 keystore first with OpenSSL and then convert it into JKS format with Keytool.
OpenSSL for CER & PVK file > P12
openssl pkcs12 -export -name servercert -in selfsignedcert.crt -inkey serverprivatekey.key -out myp12keystore.p12
Keytool for p12 > JKS
keytool -importkeystore -destkeystore mykeystore.jks -srckeystore myp12keystore.p12 -srcstoretype pkcs12 -alias servercert
Try to convert it to a p12 with a password before.
openssl pkcs12 -in in.pfx -out out.p12
If you just have a full PFX file that isn't password protected; for instance you downloaded the cert from Azure Key Vault like so:
az keyvault secret download -f mycert.pfx --encoding base64 --vault-name <vault name> --name <certificate name>
Then you can jump through a few hoops to add password protection (got this from here: http://www.1st-setup.nl/wordpress/howto-change-password-on-pfx-certificate-using-openssl/):
openssl pkcs12 -in mycert.pfx -out temppem.pem -nodes
openssl pkcs12 -export -out protectedcert.pfx -in temppem.pem
rm certs/mycert.pfx
rm certs/temppem.pem
Obviously you need to specify a password in the second openssl command to pw-protect the new PFX.

Script to Generate Self signed SSL certificate

Question is around how to quickly generate a self signed certificate that you can use with Agg Cat services OR with other intuit services.
Is there a simple script.
Here is a simple script I created for this :
#!/bin/bash
if (( $# != 2 ))
then
echo "Usage: aliasname password"
exit 1
fi
keytool -genkey -keystore ./$1.p12 -deststoretype PKCS12 -storepass $2 -alias $1 -keyalg "RSA" -keysize 2048 -validity 9000
openssl pkcs12 -in $1.p12
keytool -v -importkeystore -srckeystore ./$1.p12 -srcstoretype PKCS12 -srcstorepass $2 -destkeystore ./$1.jks -deststoretype JKS -deststorepass $2
This will create an SSL certificate and print the private key and public cert.
You use the pub cert during app creation
Use the private key in the sample app of API Explorer.

How to create a certificate into a PKCS12 keystore with keytool?

I wanted to create a certificate into a PKCS12 keystore format with keytool program.
The keystore has extension .pfx.
How do I achieve this?
If the keystore is PKCS12 type (.pfx) you have to specify it with -storetype PKCS12 (line breaks added for readability):
keytool -genkey -alias <desired certificate alias>
-keystore <path to keystore.pfx>
-storetype PKCS12
-keyalg RSA
-storepass <password>
-validity 730
-keysize 2048
Additional answer to the key of the question.
With JDK 8 (1.8.0_121-b13) you don't get an exception if you remove -storetype pkcs12 but the keytool creates a JKS keystore instead, and the .pfx extension is ignored.
It also asks for a -keypass mykeypassword which the keytool doesn't support for PKCS12.
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -keystore keystore.pfx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Generating keypair (Type EC, 256 Bit) and self-signed certificate (SHA256withECDSA) with a validity of 365 days
for: CN=CN, OU=OU, O=O, C=C
[keystore.pfx saved]
List the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pfx -storepass mystorepassword
(translated)
Keystore-Type: JKS
Keystore-Provider: SUN
Keystore contains 1 entry.
mykey, 25.04.2017, PrivateKeyEntry,
Certificate-Fingerprint (SHA1): A1:6C:5F:8F:43:37:1A:B6:43:69:08:DE:6B:B9:4D:DB:05:C9:D5:84
You see it's a Java keystore.
The next problem is, that even if you specify -storetype pkcs12 when you -list the keystore, the keytool will still display the store as a JKS keystore!
Let's try that:
%JAVA_HOME%/bin/keytool -genkeypair -alias mykey -keyalg EC -dname "cn=CN, ou=OU, o=O, c=C" -validity 365 -storetype pkcs12 -keystore keystore.pkx -keypass mykeypassword -storepass mystorepassword -v
(translated)
Warning: No support for different keystore and key password for PKCS12 keystores. The value of -keypass will be ignored.
Generating keypair (Type EC, 256 Bit) and self signed certificate (SHA256withECDSA) with a validity of 365 Days
für: CN=CN, OU=OU, O=O, C=C
[keystore.pkx saved]
Now list the contents:
%JAVA_HOME%/bin/keytool -list -keystore keystore.pkx -storepass mystorepassword
(translated)
Keystore-Type: JKS // ??
Keystore-Provider: SUN
Keystore contains 1 entry
mykey, 25.04.2017, PrivateKeyEntry,
Certificate Fingerprint (SHA1): EA:C2:36:C6:55:69:CB:32:22:C7:14:83:67:47:D2:7E:06:8E:13:14