7

I have created PKCS12 file using private key and the public certificate using openssl. I am trying to import the PCKS12, but getting error keystore password was correct. I have added password in the command line argument as below:

openssl pkcs12 -export -in myCert.cer -inkey privatekey.key -out pkcs12.p12 -name somename -password pass:someSecret2022

Then I am using following keytool command :

keytool -importkeystore -srckeystore pkcs12.p12 -srcstoretype pkcs12 -destkeystore some.jks -deststoretype jks -srcstorepass someSecret2022 -deststorepass changeit

I keep getting error

keytool error: java.io.IOException: keystore password was incorrect

On top of that I used the same pcks12.p12 file to import within Windows and it accepts the above password.

I am using zulu 8 java version 1.8.0_322 and openssl version 3.0.3.

Thank you for your help.

Improve this question
3
  • I did -v option to get more details on the error and see that java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption Commented May 31, 2022 at 14:03
  • I have the same problem with 1.8.0_312 and OpenSSL 3.0.2 (Ubuntu 22.04), the same script worked for years. I found this articel but it doesn't really help me: ec.europa.eu/digital-building-blocks/wikis/display/CEKB/… Commented Jun 4, 2022 at 11:16
  • Please make your problem reproducible by showing how exactly you created the private key, CSR and certificate. Commented Jun 4, 2022 at 14:21

1 Answer 1

Reset to default
12
+250

Dupe "java.io.IOException: keystore password was incorrect" on KeyStore load (which I didn't fully answer). OpenSSL 3.0.x defaults to PBKDF2 with HmacSHA256 for PKCS12 (which earlier OpenSSL didn't) and in some Java versions the standard provider mishandles this scheme, causing it to fail to decrypt the encrypted key and cert; see https://bugs.openjdk.java.net/browse/JDK-8278989 . Options:

  1. Create with OpenSSL 1.1.x (or lower, but that's unsupported)

  2. Create with OpenSSL 3.0.x specifying (improved) -legacy and optionally -descert -- or else the more detailed (corrected) -certpbe x -keypbe x -macalg sha1 where x is one of the non-PBKDF2 algorithms like pbeWithSHA1And3-KeyTripleDES-CBC or the easier-to-type alias PBE-SHA1-3DES (I'm not sure -macalg is always needed, try omitting if you like)

  3. Use Java 11.0.12 or higher, or in 8 use odd-numbered Oracle builds (301,311,321,333) not even-numbered OpenJDK builds (302,312,322)

  4. In any Java use https://www.BouncyCastle.org provider with preference above the Oracle provider(s)

  5. (Re)write the PKCS12 using something other than OpenSSL 3.0.x; for example on my Windows 10 Home if I import to Windows (as you noted you can) and then export from Windows using the default setting Encryption=TripleDES-SHA1 (NOT selecting AES128-SHA256) the result is readable in the affected Java versions. I ass-u-me this will also work in Windows 11. There are almost certainly other methods.

  6. Use something other than keytool to read into a JKS. You can write your own code (and there are numerous StackOverflow questions on this point) or there are many existing programs created by various people who have felt this same need. I like https://keystore-explorer.org as being conveniently packaged and having a nice GUI.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

thank you very much for this elaborate answer, it solved my problem. But I had to use -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES.
@reto: you're right; I miscopied it. corrected and expanded, since I want to have this available for a canonical if this starts becoming common.
Found the root cause. It was bug on the open JDK (bugs.openjdk.org/browse/JDK-8278989?attachmentViewMode=gallery). Used jdk-18.0.1.1 and worked perfectly.
About 3rd option, I can't find official OpenJDK docker images with those versions 8u301, 8u311, 8u321, 8u333.
@RafisGaneev As I said, those were Oracle builds not OpenJDK. I don't know if there are official dockers for Oracle -- and I haven't rechecked if the distinction between Oracle and OpenJDK still holds; I will do that when I have some time.
|

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.