Win a copy of OCP Oracle Certified Professional Java SE 11 Developer Practice Tests this week in the OCP forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Ron McLeod
  • Tim Cooke
Sheriffs:
  • Devaka Cooray
  • paul wheaton
  • Mark Herschberg
Saloon Keepers:
  • Tim Moores
  • Tim Holloway
  • Stephan van Hulst
  • Frits Walraven
  • Jj Roberts
Bartenders:
  • Carey Brown
  • salvin francis
  • Piet Souris

getting keytool error when trying to generate a JKS file

 
Ranch Hand
Posts: 242
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I am trying to create a JKS file from existing private key and certificate and currently following the steps mentioned in this documentation ( http://xacmlinfo.org/2014/06/13/how-to-keystore-creating-jks-file-from-existing-private-key-and-certificate/).

I was able to generate PKCS12 file using the private key (which is `myrhelserver_cpy_dot_com.key `) and CA signed certificate (which is `CertificateBundle1.pem`) as shown below:


 

I pressed `Enter` key when it asked me to `Enter Export Password` and `Verifying – Enter Export Password`. After this I saw `activemq_p_keystore.p12` generated inside the directory as shown in the `ls` command below.


 

Here is my actual command :



It’s asking for so many passwords as you can see above. So I did the following:

For `Enter destination keystore password:` and `Re-enter new password:` I entered nothing and pressed `Enter` key. It then asked me for `Enter destination keystore password:` and then `Re-enter new password:` and `Enter source keystore password:`
“. I was lost after this.

What am I doing wrong here? Should I be creating new password at any of the steps above?


 
 
Saloon Keeper
Posts: 23252
158
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Keytool operates on 2 password levels. One is for the keystore database itself and one is for the key entry. That's probably what's confusing you. Each key entry has its own password.

There's a GUI app called portacle that I have found invaluable for working with keystores. It not only allows you to do maintenance on keystores, you can also do imports, exports, and keytype conversions.

Incidentally, keystore databases are self-contained, so you can easily do offline maintenance and copy them to their proper home. Or create and destroy test keystores until you have what you want. I find this especially useful since my production servers don't run a GUI desktop, so I can use portacle locally and then copy the properly-configured keystore to its production home.
 
Jack Tauson
Ranch Hand
Posts: 242
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Keytool operates on 2 password levels. One is for the keystore database itself and one is for the key entry. That's probably what's confusing you. Each key entry has its own password.

There's a GUI app called portacle that I have found invaluable for working with keystores. It not only allows you to do maintenance on keystores, you can also do imports, exports, and keytype conversions.

Incidentally, keystore databases are self-contained, so you can easily do offline maintenance and copy them to their proper home. Or create and destroy test keystores until you have what you want. I find this especially useful since my production servers don't run a GUI desktop, so I can use portacle locally and then copy the properly-configured keystore to its production home.



Thanks. I was thinking of the following :

To make my activemq_p_keystore.p12 file contain password as explained in the following documentation.

https://blog.jdriven.com/2015/10/keystore-without-a-password/

However, I am still confused what would would I enter when it asks for :

1) Enter destination keystore password:
and
2)Enter source keystore password:


 
Tim Holloway
Saloon Keeper
Posts: 23252
158
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
That link sounds like it's exploiting a bug in keytool, actually. Keeping a keystore database without a database password is a serious security risk.

You are telling key tool to import all the entries in one keystore into another keystore. That means that you're going to have to provide the password for the keystore you're importing from (source keystore) to be allowed to read it and the password for the keystore you're importing into (destination keystore) to be allowed to write to it.

If you were thinking that -importkeystore was supposed to import a single key, you were mistaken. This is the import for every key in a keystore database.
 
Tim Holloway
Saloon Keeper
Posts: 23252
158
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Also: http://portecle.sourceforge.net/

This tool really does make it easier to work with keys and keystores. Sorry I misspelled it. "portacle" is a LISP development system unrelated to Java or keystores. You want portecle with an "e", not an "a".
 
Jack Tauson
Ranch Hand
Posts: 242
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Tim Holloway wrote:Also: http://portecle.sourceforge.net/

This tool really does make it easier to work with keys and keystores. Sorry I misspelled it. "portacle" is a LISP development system unrelated to Java or keystores. You want portecle with an "e", not an "a".



Thanks. I figured that it was a spelling mistake. So, in my context, what steps I should follow to avoid the error I am getting?
 
Tim Holloway
Saloon Keeper
Posts: 23252
158
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK. I looked closer and I think part of your problem is that a ".p12" file is considered to be a "keystore", so the source keystore password would be the password you supplied when you created the .p12.

I did dust off portecle, though, and if anything, it's even better than I remembered. It has menu options for creating a keystore, creating a key pair, importing existing key pairs (like your .p12 file) and - most importantly - examining your keys and certs so you can easily see what format they are in and what's in them. You can also export. Basically about everything the keytool and openssl programs do relating to Java, and maybe even a little more.
 
Ranch Hand
Posts: 51
2
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
@OP
The main issue here is: You try to do it without passphrases - but that's not how crypto is supposed to work - and hence fails. If you don't want to deal with complicated passphrases just use simple ones - but you have to at least provide one. You just can't do what you want to do without a valid passphrase. It's as simple as that.
If you want to use crypto - you have to do it the right (secure) way by using passphrases. If you don't like to deal with that I recommend for your own safety: please don't do it at all and let it to someone know that stuff - as what you try to do sounds to me like you're doing something important horrible wrong - that's how millions of customer records end up public on the internet we hear almost daily about.
Crypto isn't just "that fancy new kid in town" - it's something that has to be handled with care and has to be done correctly. Just try to be lazy and go "without / with empty passphrases" doesn't get you far - as you see - as many tools are designed to just refuse them or require you to tinker around with stuff you really shouldn't.
If it's really that hard for you just to type "password" when you're ask for one - then please, for your own safety and the date you try to protect: just don't do it - at all.
 
Tim Holloway
Saloon Keeper
Posts: 23252
158
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
With all due respect to whomever awarded the preceeding post a cow, no, it's not essential to have passphrases to use cryptography. If it was, many servers would require tedious manual intervention to start up.

But keystores are a case where passphrases should be used, because the passphrase guards against the unauthorized modification of the keystore database and entries in the database.

Your most secure passphrase isn't something with mixed-case, numbers and punctuation, studies have shown. You're more secure using a non-intuitive but easily-memorizable phrase like "thewildpumpkinrodeoffintothesunset".

Addendum: I should note that it's the length of the passphrase that makes it secure. Although for internal resources used frequently, checked often, I have been known to use more traditional-sized passwords.
 
Self destruct mode activated. Instructions for deactivation encoded in this tiny ad.
the value of filler advertising in 2021
https://coderanch.com/t/730886/filler-advertising
reply
    Bookmark Topic Watch Topic
  • New Topic