How to convert the PKCS12 openssl keystore to JKS keytstore with Java Keytool

0 投票
最新提问 用户: (120 分)

Step i make key:

  1. Create a Private Key

    openssl genrsa -des3 -out client.key 2048
    
  2. Generate a Self-Signed Certificate

    openssl req -key client.key -new -x509 -days 365 -out client.crt -subj "/C=xxx/ST=yyy/L=zzz/O=aaa/CN=localhost"
    
  3. Convert PEM to PKCS12

    openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12
    
  4. Convert the PKCS12 openssl keystore to JKS keytstore with Java Keytool

    keytool -importkeystore -destkeystore client_keystore.jks -deststoretype jks -deststorepass 1234567abc -srckeystore client.p12 -srcstoretype pkcs12 -srcstorepass 1234567abc
    

I got error:

keytool error: java.io.IOException: failed to decrypt safe contents entry:
javax.crypto.BadPaddingException: Given final block not properly padded

How to fix it, where was i wrong?

2 个回答

0 投票
最新回答 用户: (5.6k 分)
 -srcstorepass 1234567abc

You didn't specify a password when you created the PKCS#12 file. Where did you get this from?

You can do the entire process with the keytool -genkey option as a one-liner.

发表于 用户: (120 分)
At step one: i created PKCS#12 file with password 1234567abc when command line required input
发表于 用户: (120 分)
i can use keytool to create PKCS12 key file, but i can not create certificate, truststore from that file, can you post command line to create that file??
发表于 用户: (5.6k 分)
(a) -genkey creates both a key pair and a certificate. (b) You can use keytool to create a JKS file directly. There is no need to use PKCS#12 at all. (c) You can export the certficate from the keystore with keytool, and import it into a truststore.
发表于 用户: (120 分)
Thanks for your response, But i want to create certificate, truststore from PKCS12, can you give me cmd for that???
发表于 用户: (5.6k 分)
Why from PKCS#12? NB Step 1 doesn't create a PKCS#12 file. Step 3 does that.
0 投票
最新回答 用户: (140 分)

One problem is that not all PCKS12 providers are exactly 100% compatible. I experienced the same error, and I was able to fix it by changing srcstoretype from 'PKCS12' to 'BCPKCS12'

This may help: https://cryptosense.com/bouncycastle-keystore-security/

欢迎来到 Security Q&A ,有什么不懂的可以尽管在这里提问,你将会收到社区其他成员的回答。
...