Created a Certificate for Tomcat, trying to get it installed in new keystore, and getting error (Edit: ran it with -v option, now getting more info): Sadly, it's correct, the passphrase has two "®". So, given what I've done (the private key has the non-ASCII password), how much of a pain will it be to recover from this?: The file

keytool error: java.io.IOException: keystore password was incorrect

Created a Certificate for Tomcat, trying to get it installed in new keystore, and getting error (Edit: ran it with -v option, now getting more info):

keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:1894)
    at sun.security.tools.keytool.Main.doImportKeyStore(Main.java:1926)
    at sun.security.tools.keytool.Main.doCommands(Main.java:1021)
    at sun.security.tools.keytool.Main.run(Main.java:340)
    at sun.security.tools.keytool.Main.main(Main.java:333)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.io.IOException: getSecretKey failed: Password is not ASCII

Sadly, it’s correct, the passphrase has two “®”. So, given what I’ve done (the private key has the non-ASCII password), how much of a pain will it be to recover from this?:

1: Create a passphrase file: vi .kp
2: Make CSR:
A: Generate a 2048 bit private key:
openssl genpkey -algorithm RSA -outform PEM -out mike.privateKey.pass.pem -pkeyopt rsa_keygen_bits:2048 -pass file:.kp
B: Make the CSR:
openssl req -new -sha256 -key mike.privateKey.pass.pem -out mike.ike.com.cert.csr
Note: CSR has different "challenge password" than in the passphrase file, if that matters
3: Submit CSR to Comodo
4: Get certificate file mike_ike_com.cer & Comodo trust chain files: COMODORSAOrganizationValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, AddTrustExternalCARoot.crt
5: Convert the Certificates:
A: Convert to PEM:
openssl x509 -inform DER -in COMODORSAOrganizationValidationSecureServerCA.crt -out COMODORSAOrganizationValidationSecureServerCA.pem -outform PEM
openssl x509 -inform DER -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem -outform PEM
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem -outform PEM
B: Concat into a single file:
cat COMODORSAOrganizationValidationSecureServerCA.pem COMODORSAAddTrustCA.pem AddTrustExternalCARoot.pem > Comodo.root.crt 
C: Use openssl to create a pkcs12 file:
openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kp -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt 
Note: when it asks "Enter Export Password" I give it the pw from .kp
6: Use keytool to create the keystore file:
$JAVA_HOME/bin/keytool -importkeystore -deststorepass:file .kp -destkeypass:file .kp -destkeystore .keystore -srckeystore mike_ike.p12 -srcstoretype PKCS12 -srcstorepass:file .kp -alias tomcat

The file “.keystore” does not exist. I am assuming that keytool will create it

Answer

Ok, so I have an answer.

1: I had a non-ASCII character in the password. openssl can handle that, keypass can’t.

2: Having created the private key with the non-ASCII password, I’m stuck with it, so I renamed that file .kpkey, and created a new .kp file with a pure ASCII password

3: This required a change to 5:C:

openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kpkey -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt

Note: when it asks “Enter Export Password” I give it the pw from .kp, NOT from .kpkey . The only change is -passin file:.kpkey

Everything else remains the same, and works

Advertisement

Answer