3

I am trying to get aliases from pfx/p12 file using

keytool -v -list -storetype pkcs12 -keystore servercert.p12 -storepass 1234

which gives me

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: 1
Creation date: Jul 4, 2017
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=CSIT CA, O="CSIT CA,Ltd.", L=Dhaka, ST=Dhaka, C=BD
Issuer: EMAILADDRESS=csit@csit.com, CN=CSIT CA, OU=Software Department, O=CSIT CA, L=Dhaka, ST=Dhaka, C=BD
Serial number: 1
Valid from: Tue Jul 04 15:41:40 BDT 2017 until: Mon Mar 30 15:41:40 BDT 2020
Certificate fingerprints:
     MD5:  5C:CC:77:17:6C:91:FC:81:58:5A:D4:B0:FE:D8:B9:A8
     SHA1: 9A:34:32:64:29:BF:0B:7E:4F:63:1B:27:99:54:41:0F:9D:55:CF:C8
     SHA256: 27:01:BE:9D:F6:0E:38:35:AE:9C:07:B9:64:AB:76:50:06:D3:5D:8E:25:C4:59:87:D0:E9:A1:5A:96:41:D7:70
     Signature algorithm name: SHA256withRSA
     Version: 3

Extensions:
#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 1D 4F 70 65 6E 53 53   4C 20 47 65 6E 65 72 61  ..OpenSSL Genera
0010: 74 65 64 20 43 65 72 74   69 66 69 63 61 74 65     ted Certificate

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 32 0F 04 D5 F6 1B 84 E5   87 EB 64 70 C7 D8 F2 5F  2.........dp..._
0010: FA 92 4D 57                                        ..MW
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: example.com
  DNSName: www.example.com
  DNSName: mail.example.com
  DNSName: ftp.example.com
]

#6: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1C 59 74 4B 59 3B 1D 76   99 C2 10 4D 09 12 94 BB  .YtKY;.v...M....
0010: 20 95 2C 21                                         .,!
]
]



*******************************************
*******************************************

The alias is "1" here.

However, I also try using java

KeyStore keystore = KeyStore.getInstance("PKCS12", "BC");
InputStream input = PdfSigner.class.getResourceAsStream(KEYSTORE_LOCATION);
keystore.load(input, PASSWORD.toCharArray());
System.out.println(keystore.size());
Enumeration<String> s=keystore.aliases();
while(s.hasMoreElements()){
    System.out.println("alias:"+s.nextElement());
}

which gives me

1
alias:326bbd5c3d1ad4c6013ee70938d2c76b3c7a29d0

Which shows mismatch in alias.

Note: I generate my certificate using this

Q1: Why there is mismatch?

Q2: if there is mismatch, how can my client provide me with pfx/p12 file, alias and pass,which will be used to sign pdf on the fly?

jww
  • 97,681
  • 90
  • 411
  • 885
Tanmoy Mandal
  • 466
  • 4
  • 14
  • Where did you see "1" in the keytool result? How have you imported the certificate into the .p12?. You can asign an alias in that moment, or changet it now. Seems alias is void and bouncycastle keystore is printing the hash (SHA256) in HEX format – pedrofb Jul 04 '17 at 11:09
  • @pedrofb sorry my bad the output was not complete. Please check now. – Tanmoy Mandal Jul 04 '17 at 11:44
  • 2
    Alias is a friendly name but it is optional. May be each tool is using a different way to calculate it if it is not set. When you exported .p12 file, what "name" did you set to alias?. For example using `openssl pkcs12 -export -in my-cert.crt -inkey my-priv-key.key -certfile my-ca-bundle -out my-pfx.pfx -name "alias"` – pedrofb Jul 04 '17 at 12:20
  • @pedrofb Thanks. – Tanmoy Mandal Jul 04 '17 at 12:25
  • Ok, happy to help! I posted a summary as answer – pedrofb Jul 04 '17 at 13:10

1 Answers1

5

Alias is a friendly name but it is optional. May be each tool is using a different way to calculate it if it is not set. When you exported .p12 file, check the "name" that you set to alias.

For example using 

 openssl pkcs12 -export -in my-cert.crt -inkey my-priv-key.key -certfile my-ca-bundle -out my-pfx.pfx -name "alias"
pedrofb
  • 37,271
  • 5
  • 94
  • 142