15

I am trying to generate keystore using keytool and getting below error -

D:\Java\bin>keytool -importkeystore -srckeystore cert1.p12 -srcstoretype pkcs12 -destkeystore cert1.keystore -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
keytool error: java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
  • Dupe https://stackoverflow.com/questions/51883324/why-can-encryptedprivatekeyinfo-not-read-my-pkcs8-encrypted-private-key-in-java https://stackoverflow.com/questions/67766268/ioexception-in-java-8-when-reading-pkcs12-keystore-created-with-keytool-from-ope https://stackoverflow.com/questions/69800951/java-kafka-client-pem-cert-key-invalidconfigurationexception-java-io-ioexcepti https://stackoverflow.com/questions/68829204/java-keystore-compatibility-java-8-11 https://stackoverflow.com/questions/68355241/java-load-encrypted-private-key – dave_thompson_085 Dec 06 '21 at 13:32
  • 17
    In short: your PKCS12 uses a PBES2 cipher and Java versions below 8u301 or 11.0.1 don't correctly handle PBES2. Either use a newer version of Java, or (re)create the PKCS12 so that is doesn't use PBES2. – dave_thompson_085 Dec 06 '21 at 13:33
  • 8
    When exporting the certificate with openssl, adding the -legacy parameter helps. – Klaws Jun 06 '22 at 07:21
  • @dave_thompson_085 How do you create the PKCS12 so that it doesn't use PBEs2 cipher? The project that I am working on unfortunately requires the use of an older Java 8. Thanks – Travis Whitten Aug 03 '22 at 20:32
  • 4
    @TravisWhitten: if you are creating with OpenSSL 3.0.x `openssl pkcs12 -export ...` then add `-legacy` as Klaws said; if you are creating with something else it depends what that something is and maybe how you use it e.g. options or environment. If you can't change the creation, you can _re-create_ it (read the unusable version and write back a usable version) (perhaps on a different system if necessary) with OpenSSL or (reasonably recent) Windows, or maybe other things. – dave_thompson_085 Aug 04 '22 at 03:47
  • I met the same error today. My case is, I use the same command (as I did 2 years ago) to generate new csr, then sign it, then export to p12, then import into the keystore and finally the exception happened. I thought it was the incorrect password firstly. My env is I installed latest OpenSSL v3.0.7 with Java 1.8, after I saw @dave_thompson_085 's suggestion, I turn to use OpenSSL v1.1.1 (download here https://slproweb.com/products/Win32OpenSSL.html) and retry and it works for me now. Thanks! – Wayne Mao Jan 13 '23 at 02:48

3 Answers3

3

As @Klaws and @dave_thompson_085 suggested in the comments above, add the -legacy parameter to the openssl pkcs12 command:

openssl pkcs12 -inkey cert1.private.key -in cert1.public.crt -export -out cert1.p12 -legacy
keytool -importkeystore -srckeystore cert1.p12 -srcstoretype pkcs12 -destkeystore cert1.keystore -deststoretype JKS
Peter Zaitcev
  • 316
  • 1
  • 14
0

Updating the JDK will solve this issue.

Emmanuel Bourg
  • 9,601
  • 3
  • 48
  • 76
0

If -legacy option in openssl3 doesn't work for any reason (my case. maybe because I use macos), simply install openssl1.1 and use that instead to generate p12 file.

For example in macos,

  • brew install openssl@1.1
  • /opt/homebrew/Cellar/openssl@1.1/1.1.1t/bin/openssl pkcs12 -inkey cert.pkey -in cert.pem -export -out cert.p12
Daniel Shin
  • 5,086
  • 2
  • 30
  • 53