Created a Certificate for Tomcat, trying to get it installed in new keystore, and getting error (Edit: ran it with -v option, now getting more info):
keytool error: java.io.IOException: keystore password was incorrectjava.io.IOException: keystore password was incorrect at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015) at java.security.KeyStore.load(KeyStore.java:1445) at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:1894) at sun.security.tools.keytool.Main.doImportKeyStore(Main.java:1926) at sun.security.tools.keytool.Main.doCommands(Main.java:1021) at sun.security.tools.keytool.Main.run(Main.java:340) at sun.security.tools.keytool.Main.main(Main.java:333)Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.io.IOException: getSecretKey failed: Password is not ASCIISadly, it’s correct, the passphrase has two “®”. So, given what I’ve done (the private key has the non-ASCII password), how much of a pain will it be to recover from this?:
1: Create a passphrase file: vi .kp2: Make CSR:A: Generate a 2048 bit private key:openssl genpkey -algorithm RSA -outform PEM -out mike.privateKey.pass.pem -pkeyopt rsa_keygen_bits:2048 -pass file:.kpB: Make the CSR:openssl req -new -sha256 -key mike.privateKey.pass.pem -out mike.ike.com.cert.csrNote: CSR has different "challenge password" than in the passphrase file, if that matters3: Submit CSR to Comodo4: Get certificate file mike_ike_com.cer & Comodo trust chain files: COMODORSAOrganizationValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, AddTrustExternalCARoot.crt5: Convert the Certificates:A: Convert to PEM:openssl x509 -inform DER -in COMODORSAOrganizationValidationSecureServerCA.crt -out COMODORSAOrganizationValidationSecureServerCA.pem -outform PEMopenssl x509 -inform DER -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem -outform PEMopenssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem -outform PEMB: Concat into a single file:cat COMODORSAOrganizationValidationSecureServerCA.pem COMODORSAAddTrustCA.pem AddTrustExternalCARoot.pem > Comodo.root.crt C: Use openssl to create a pkcs12 file:openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kp -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt Note: when it asks "Enter Export Password" I give it the pw from .kp6: Use keytool to create the keystore file:$JAVA_HOME/bin/keytool -importkeystore -deststorepass:file .kp -destkeypass:file .kp -destkeystore .keystore -srckeystore mike_ike.p12 -srcstoretype PKCS12 -srcstorepass:file .kp -alias tomcatThe file “.keystore” does not exist. I am assuming that keytool will create it
Advertisement
Answer
Ok, so I have an answer.
1: I had a non-ASCII character in the password. openssl can handle that, keypass can’t.
2: Having created the private key with the non-ASCII password, I’m stuck with it, so I renamed that file .kpkey, and created a new .kp file with a pure ASCII password
3: This required a change to 5:C:
openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kpkey -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt Note: when it asks “Enter Export Password” I give it the pw from .kp, NOT from .kpkey . The only change is -passin file:.kpkey
Everything else remains the same, and works