0

So the platform/system we're subscribed to said they're renewing their certificates, and sent us the new ones. They sent 1 .pem and 1 .crt file with exactly the same content, which is basically just a certificate part (no key):

-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

We're on a 3rd party java app which has a .jceks keystore, containing just a SecretKeyEntry

Keystore type: JCEKS
Keystore provider: SunJCE

Your keystore contains 1 entry

abcd, May 23, 2016, SecretKeyEntry,

So what am I supposed to do here ?

I imported the cert with alias "abcd" but the app apparently expects a key as per the logs ? :

 ConnectivityException: Error while decrypting [7v9wr8aOC+t3OEVGVzfBjw==] using cipher [AES]
nullPointer
  • 4,419
  • 1
  • 15
  • 27
  • Probably you are using the default _truststore_ (cacerts file) without knowing that. Look for it and check if it contains the "old" certificate, if so, just add the new one. – Eugène Adell Mar 27 '23 at 20:55
  • @Eugene no I don't think so, the java app is launched by pointing to the .jceks keystore : `-Djavax.net.ssl.keyStore=ff_key.jceks` – nullPointer Mar 28 '23 at 05:03
  • dude I was talking about the _truststore_ not the _keystore_ . The app is using a truststore for sure even if you aren't aware of that. Maybe, have a look at the [doc](https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#CustomizingStores). – Eugène Adell Mar 28 '23 at 08:00
  • Could be that they are switching from a pre-shared key (PSK) configuration to one just offering server authentication (i.e. normal TLS). In that case they might send you a certificate that needs to be trusted by you to create the connection. I'd definitely not replace the current key, I'd add the certificate as trusted certificate under a different alias, then remove the secret key after getting a go or when the connection is using the server authentication. As it stands, you've not provided enough information to compose an answer though, this is guesswork. – Maarten Bodewes Mar 28 '23 at 08:11
  • @Eugene checked the default tuststore ( jre/lob/security/cacerts ) on the server hosting the app and it doesn't seem to contain the previous/old cert(s).. – nullPointer Mar 29 '23 at 07:00

0 Answers0