Forum:

GNU/Linux

getting keytool error when trying to generate a JKS file

Ranch Hand

Posts: 242

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

I am trying to create a JKS file from existing private key and certificate and currently following the steps mentioned in this documentation ( http://xacmlinfo.org/2014/06/13/how-to-keystore-creating-jks-file-from-existing-private-key-and-certificate/).

I was able to generate PKCS12 file using the private key (which is `myrhelserver_cpy_dot_com.key `) and CA signed certificate (which is `CertificateBundle1.pem`) as shown below:

I pressed `Enter` key when it asked me to `Enter Export Password` and `Verifying – Enter Export Password`. After this I saw `activemq_p_keystore.p12` generated inside the directory as shown in the `ls` command below.

Here is my actual command :

It’s asking for so many passwords as you can see above. So I did the following:

For `Enter destination keystore password:` and `Re-enter new password:` I entered nothing and pressed `Enter` key. It then asked me for `Enter destination keystore password:` and then `Re-enter new password:` and `Enter source keystore password:`
“. I was lost after this.

What am I doing wrong here? Should I be creating new password at any of the steps above?

Tim Holloway

Saloon Keeper

Posts: 23441

159

I like...

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

Keytool operates on 2 password levels. One is for the keystore database itself and one is for the key entry. That's probably what's confusing you. Each key entry has its own password.

There's a GUI app called portacle that I have found invaluable for working with keystores. It not only allows you to do maintenance on keystores, you can also do imports, exports, and keytype conversions.

Incidentally, keystore databases are self-contained, so you can easily do offline maintenance and copy them to their proper home. Or create and destroy test keystores until you have what you want. I find this especially useful since my production servers don't run a GUI desktop, so I can use portacle locally and then copy the properly-configured keystore to its production home.

Some people, when well-known sources tell them that fire will burn them, don't put their hands in the fire.

Some people, being skeptical, will put their hands in the fire, get burned, and learn not to put their hands in the fire.

And some people, believing that they know better than well-known sources, will claim it's a lie, put their hands in the fire, and continue to scream it's a lie even as their hands burn down to charred stumps.

Jack Tauson

Ranch Hand

Posts: 242

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

Tim Holloway wrote:Keytool operates on 2 password levels. One is for the keystore database itself and one is for the key entry. That's probably what's confusing you. Each key entry has its own password.

There's a GUI app called portacle that I have found invaluable for working with keystores. It not only allows you to do maintenance on keystores, you can also do imports, exports, and keytype conversions.

Incidentally, keystore databases are self-contained, so you can easily do offline maintenance and copy them to their proper home. Or create and destroy test keystores until you have what you want. I find this especially useful since my production servers don't run a GUI desktop, so I can use portacle locally and then copy the properly-configured keystore to its production home.

Thanks. I was thinking of the following :

To make my activemq_p_keystore.p12 file contain password as explained in the following documentation.

https://blog.jdriven.com/2015/10/keystore-without-a-password/

However, I am still confused what would would I enter when it asks for :

1) Enter destination keystore password:
and
2)Enter source keystore password:

Tim Holloway

Saloon Keeper

Posts: 23441

159

I like...

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

That link sounds like it's exploiting a bug in keytool, actually. Keeping a keystore database without a database password is a serious security risk.

You are telling key tool to import all the entries in one keystore into another keystore. That means that you're going to have to provide the password for the keystore you're importing from (source keystore) to be allowed to read it and the password for the keystore you're importing into (destination keystore) to be allowed to write to it.

If you were thinking that -importkeystore was supposed to import a single key, you were mistaken. This is the import for every key in a keystore database.

Tim Holloway

Saloon Keeper

Posts: 23441

159

I like...

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

Also: http://portecle.sourceforge.net/

This tool really does make it easier to work with keys and keystores. Sorry I misspelled it. "portacle" is a LISP development system unrelated to Java or keystores. You want portecle with an "e", not an "a".

Jack Tauson

Ranch Hand

Posts: 242

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

Tim Holloway wrote:Also: http://portecle.sourceforge.net/

This tool really does make it easier to work with keys and keystores. Sorry I misspelled it. "portacle" is a LISP development system unrelated to Java or keystores. You want portecle with an "e", not an "a".

Thanks. I figured that it was a spelling mistake. So, in my context, what steps I should follow to avoid the error I am getting?

Tim Holloway

Saloon Keeper

Posts: 23441

159

I like...

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

OK. I looked closer and I think part of your problem is that a ".p12" file is considered to be a "keystore", so the source keystore password would be the password you supplied when you created the .p12.

I did dust off portecle, though, and if anything, it's even better than I remembered. It has menu options for creating a keystore, creating a key pair, importing existing key pairs (like your .p12 file) and - most importantly - examining your keys and certs so you can easily see what format they are in and what's in them. You can also export. Basically about everything the keytool and openssl programs do relating to Java, and maybe even a little more.

Matthew Bendford

Ranch Hand

Posts: 66

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

@OP
The main issue here is: You try to do it without passphrases - but that's not how crypto is supposed to work - and hence fails. If you don't want to deal with complicated passphrases just use simple ones - but you have to at least provide one. You just can't do what you want to do without a valid passphrase. It's as simple as that.
If you want to use crypto - you have to do it the right (secure) way by using passphrases. If you don't like to deal with that I recommend for your own safety: please don't do it at all and let it to someone know that stuff - as what you try to do sounds to me like you're doing something important horrible wrong - that's how millions of customer records end up public on the internet we hear almost daily about.
Crypto isn't just "that fancy new kid in town" - it's something that has to be handled with care and has to be done correctly. Just try to be lazy and go "without / with empty passphrases" doesn't get you far - as you see - as many tools are designed to just refuse them or require you to tinker around with stuff you really shouldn't.
If it's really that hard for you just to type "password" when you're ask for one - then please, for your own safety and the date you try to protect: just don't do it - at all.

Tim Holloway

Saloon Keeper

Posts: 23441

159

I like...

posted 2 months ago

Number of slices to send:

Optional 'thank-you' note:

Send

With all due respect to whomever awarded the preceeding post a cow, no, it's not essential to have passphrases to use cryptography. If it was, many servers would require tedious manual intervention to start up.

But keystores are a case where passphrases should be used, because the passphrase guards against the unauthorized modification of the keystore database and entries in the database.

Your most secure passphrase isn't something with mixed-case, numbers and punctuation, studies have shown. You're more secure using a non-intuitive but easily-memorizable phrase like "thewildpumpkinrodeoffintothesunset".

Addendum: I should note that it's the length of the passphrase that makes it secure. Although for internal resources used frequently, checked often, I have been known to use more traditional-sized passwords.

and POOF! You're gone! But look, this tiny ad is still here:

SKIP - a book about connecting industrious people with elderly land owners

https://coderanch.com/t/skip-book