1

I am trying to update a keystore with a renewed SSL certificate that I downloaded from my Ionos webhost.

I downloaded the PFX file after inputing my private key and password into their PFX creation tool and checked an option to "include intermediate certificates" (this is what I have always done in the past).

When I ran keytool to update the keystore this is the command I used:

keytool -importkeystore -srckeystore example.com_private_key.pfx -srcstoretype pkcs12 -destkeystore mykeystore.jks -deststoretype JKS

It asks me to enter some passwords and then asks me if I wanted to override the alias. After entering "yes" it gave me the "Invalid null input" error.

I also tried creating a new keystore instead of updating the old one and after entering the passwords I received the same error.

I still have my old PFX file from last year and keytool doesn't give the error when creating a keystore with that.

I also tried reissuing the private key and redownloading the PFX with and without the intermediate certificate option but got the same error.

I don't know where to even start to find out how to overcome this issue. My only assumption is that there is something wrong with the new PFX file but don't know how I can verify it or troubleshoot.

Any suggestions?

EDIT:

I decided to run keytool -list on the PFX file and this was the output

>keytool -list -v -keystore example.com_private_key.pfx
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: *.example.com
Creation date: 22-Mar-2023
Entry type: PrivateKeyEntry


*******************************************
*******************************************

Usually this gives a big list of things but this seems empty.

Curtis
  • 3,170
  • 7
  • 28
  • 44
  • 2
    There is definitely a privatekey in that PKCS12, the display says so. But either the _certificates_ are not present, or are unreadable -- which might occur if you give a wrong/inconsistent password, but that should cause other error messages as well. Do you have openssl, including on another machine you can use, or can you get it? If so, do `openssl pkcs12 -info -nokeys` on each file to see the encryption options and cert(s), but not the (sensitive) privatekey values, and compare the working to nonworking case. – dave_thompson_085 Mar 22 '23 at 22:24
  • 1
    I don't know who voted to close this question as not being about software development, but that's certainly wrong; keytool is part of the JDK and the resulting keystores are required as input for many programming tasks. I'm agreeing with Dave above of course. What is required for Java keystores is that there is a certificate chain that is directly associated with the private key (possibly excluding root cert), starting with the leaf certificate. Separate certificates are commonly considered trust points instead. – Maarten Bodewes Mar 23 '23 at 15:10
  • @dave_thompson_085 thank you for your suggestion, I was able to compare them and they seem almost identical except that the non working one has `Bag Attributes: ` where as the working one had a `friendlyname` and `localKeyID` inside the `Bag Attributes`. Since I had OpenSSL I downloaded the cert, intermediate cert and private key from my host and used OpenSSL to create a new PFX and it worked. It had the same bag attributes as the working one and keytool was able to successfully import them. So I assume the Empty Attributes thing was the issue? – Curtis Mar 23 '23 at 19:50
  • 1
    Curtis: yes, or more exactly the lack of `localKeyID`, which is used to link the privatekey to the matching cert (since the PKCS12 format allows more than one of each, even though you aren't doing so here). The Sun/Oracle/OpenJDK provider doesn't _need_ `friendlyName`, but is easier to use with. – dave_thompson_085 Mar 24 '23 at 03:47

0 Answers0