1

I've a PEM bundle generated by Hashicorp Vault that looks like the following one:

client.pem

-----BEGIN RSA PRIVATE KEY-----
<<contents>>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<<contents>>
-----END CERTIFICATE-----

What I'm trying to achieve is to export the PEM format to PKCS12 in order to properly import it to the Java keystore.

For doing so I'm performing the following steps:

  1. Export my pem bundle to pkcs12:
openssl pkcs12 -export -name client -inkey client.pem -in client.pem -out client.p12 -nodes -passout pass:123456
  1. Import the PKCS12 client.p12 into the keystore:
keytool -importkeystore -destkeystore client-keystore.jks -srckeystore client.p12 -deststorepass 123456 -srcstoretype PKCS12 -srcstorepass 123456

At this point, no matter how many combinations of export/import I do try out but I'm always getting the same error when trying to import it to the keystore:

Importing keystore client.p12 to client-keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect

Any idea what password is asking me for or what I'm doing wrong? Thanks!

ifervi
  • 21
  • 3
  • If you're really using `123456` it should work and does for me, but of course that is insecure. If you're using a more secure password, especially if it contains special or non-ASCII chars, it may fail depending on such things as your OS environment, shell or command processor, and locale or language settings. BTW on `openssl pkcs12 -export` adding `-nodes` is ignored, has no effect, and is useless, and when you have both key and certs in one file you don't need `-inkey` only `-in` _or_ redirected stdin. ... – dave_thompson_085 Apr 15 '21 at 03:20
  • ... Also for Java 8u60 up `keytool` can read PKCS12 without specifying `-[src]storetype` -- and for j9 up if the output file is new by default it is created as PKCS12 not JKS so your second step is useless. – dave_thompson_085 Apr 15 '21 at 03:21
  • Hi @dave_thompson_085, thanks for the heads-up - For now I'm just testing an integration and therefore the password isn't a concern so I'm just using 123456. Managed to solve the issue, it wasn't related to the password after all, shed light to the issue by providing the `-v` flag to the import command, the client certificate subject field was missing and that's why the import was failing – ifervi Apr 15 '21 at 11:08

1 Answers1

1

At the end it wasn't related to the password after all, shed light to the underlying error by providing the -v flag to the import command, the client certificate subject field was missing and that's why the import was failing. By issuing a certificate to Vault with the subject field properly set solved the issue

ifervi
  • 21
  • 3