getting keytool error when trying to generate a JKS file

I am trying to create a JKS file from existing private key and certificate and currently following the steps mentioned in this documentation ( http://xacmlinfo.org/2014/06/13/how-to-keystore-creating-jks-file-from-existing-private-key-and-certificate/).

I was able to generate PKCS12 file using the private key (which is `myrhelserver_cpy_dot_com.key `) and CA signed certificate (which is `CertificateBundle1.pem`) as shown below:


  [tan@myrhelserver cert_related]$ openssl pkcs12 -export -in CertificateBundle1.pem -inkey myrhelserver_cpy_dot_com.key -certfile CertificateBundle1.pem -out activemq_p_keystore.p12    Enter Export Password:    Verifying - Enter Export Password:

I pressed `Enter` key when it asked me to `Enter Export Password` and `Verifying – Enter Export Password`. After this I saw `activemq_p_keystore.p12` generated inside the directory as shown in the `ls` command below.


   [tan@myrhelserver cert_related]$ ls    activemq_p_keystore.p12   CertificateBundle1.pem  myrhelserver_cpy_dot_com.key   After this I ran the `keytool` command as mentioned in the Step 2 of the documentation - which is asking me to generate the JKS file in the following manner:    keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS

Here is my actual command :

   [tan@myrhelserver cert_related]$ keytool -importkeystore -srckeystore activemq_p_keystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS    Importing keystore activemq_p_keystore.p12 to wso2carbon.jks...    Enter destination keystore password:    Re-enter new password:    They don't match. Try again    Enter destination keystore password:    Re-enter new password:    Enter source keystore password:        *****************  WARNING WARNING WARNING  *****************    * The integrity of the information stored in the srckeystore*    * has NOT been verified!  In order to verify its integrity, *    * you must provide the srckeystore password.                *    *****************  WARNING WARNING WARNING  *****************        keytool error: java.lang.NullPointerException: invalid null input

It’s asking for so many passwords as you can see above. So I did the following:

For `Enter destination keystore password:` and `Re-enter new password:` I entered nothing and pressed `Enter` key. It then asked me for `Enter destination keystore password:` and then `Re-enter new password:` and `Enter source keystore password:`
“. I was lost after this.

What am I doing wrong here? Should I be creating new password at any of the steps above?


 

Keytool operates on 2 password levels. One is for the keystore database itself and one is for the key entry. That's probably what's confusing you. Each key entry has its own password.

There's a GUI app called portacle that I have found invaluable for working with keystores. It not only allows you to do maintenance on keystores, you can also do imports, exports, and keytype conversions.

Incidentally, keystore databases are self-contained, so you can easily do offline maintenance and copy them to their proper home. Or create and destroy test keystores until you have what you want. I find this especially useful since my production servers don't run a GUI desktop, so I can use portacle locally and then copy the properly-configured keystore to its production home.

Tim Holloway wrote:Keytool operates on 2 password levels. One is for the keystore database itself and one is for the key entry. That's probably what's confusing you. Each key entry has its own password.

There's a GUI app called portacle that I have found invaluable for working with keystores. It not only allows you to do maintenance on keystores, you can also do imports, exports, and keytype conversions.

Incidentally, keystore databases are self-contained, so you can easily do offline maintenance and copy them to their proper home. Or create and destroy test keystores until you have what you want. I find this especially useful since my production servers don't run a GUI desktop, so I can use portacle locally and then copy the properly-configured keystore to its production home.

Thanks. I was thinking of the following :

To make my activemq_p_keystore.p12 file contain password as explained in the following documentation.

https://blog.jdriven.com/2015/10/keystore-without-a-password/

However, I am still confused what would would I enter when it asks for :

1) Enter destination keystore password:
and
2)Enter source keystore password:

That link sounds like it's exploiting a bug in keytool, actually. Keeping a keystore database without a database password is a serious security risk.

You are telling key tool to import all the entries in one keystore into another keystore. That means that you're going to have to provide the password for the keystore you're importing from (source keystore) to be allowed to read it and the password for the keystore you're importing into (destination keystore) to be allowed to write to it.

If you were thinking that -importkeystore was supposed to import a single key, you were mistaken. This is the import for every key in a keystore database.

Also: http://portecle.sourceforge.net/

This tool really does make it easier to work with keys and keystores. Sorry I misspelled it. "portacle" is a LISP development system unrelated to Java or keystores. You want portecle with an "e", not an "a".

Tim Holloway wrote:Also: http://portecle.sourceforge.net/

This tool really does make it easier to work with keys and keystores. Sorry I misspelled it. "portacle" is a LISP development system unrelated to Java or keystores. You want portecle with an "e", not an "a".

Thanks. I figured that it was a spelling mistake. So, in my context, what steps I should follow to avoid the error I am getting?

OK. I looked closer and I think part of your problem is that a ".p12" file is considered to be a "keystore", so the source keystore password would be the password you supplied when you created the .p12.

I did dust off portecle, though, and if anything, it's even better than I remembered. It has menu options for creating a keystore, creating a key pair, importing existing key pairs (like your .p12 file) and - most importantly - examining your keys and certs so you can easily see what format they are in and what's in them. You can also export. Basically about everything the keytool and openssl programs do relating to Java, and maybe even a little more.

@OP
The main issue here is: You try to do it without passphrases - but that's not how crypto is supposed to work - and hence fails. If you don't want to deal with complicated passphrases just use simple ones - but you have to at least provide one. You just can't do what you want to do without a valid passphrase. It's as simple as that.
If you want to use crypto - you have to do it the right (secure) way by using passphrases. If you don't like to deal with that I recommend for your own safety: please don't do it at all and let it to someone know that stuff - as what you try to do sounds to me like you're doing something important horrible wrong - that's how millions of customer records end up public on the internet we hear almost daily about.
Crypto isn't just "that fancy new kid in town" - it's something that has to be handled with care and has to be done correctly. Just try to be lazy and go "without / with empty passphrases" doesn't get you far - as you see - as many tools are designed to just refuse them or require you to tinker around with stuff you really shouldn't.
If it's really that hard for you just to type "password" when you're ask for one - then please, for your own safety and the date you try to protect: just don't do it - at all.

With all due respect to whomever awarded the preceeding post a cow, no, it's not essential to have passphrases to use cryptography. If it was, many servers would require tedious manual intervention to start up.

But keystores are a case where passphrases should be used, because the passphrase guards against the unauthorized modification of the keystore database and entries in the database.

Your most secure passphrase isn't something with mixed-case, numbers and punctuation, studies have shown. You're more secure using a non-intuitive but easily-memorizable phrase like "thewildpumpkinrodeoffintothesunset".

Addendum: I should note that it's the length of the passphrase that makes it secure. Although for internal resources used frequently, checked often, I have been known to use more traditional-sized passwords.