Automating keystore with keytool and openssl-CodePudding

I have this script:

PASSWORD=password123

openssl genrsa -out client2.key 2048
openssl req -new -key client2.key -out client2.csr -subj "/C=/ST=/L=/O=/OU=/CN=/emailAddress=" -passin pass:$PASSWORD -passout pass:$PASSWORD
openssl x509 -req -in client2.csr -CA ./ca/ca.crt -CAkey ./ca/ca.key -CAcreateserial -out client2.crt -days 1825 -sha256
openssl pkcs12 -export -out bundle.p12 -in client2.crt -inkey client2.key -password pass:$PASSWORD
keytool -keystore truststore.jks -import -file ./ca/ca.crt -alias cacert -storepass $PASSWORD -keypass $PASSWORD -noprompt
keytool -destkeystore keystore.jks -importkeystore -srckeystore bundle.p12 -srcstoretype PKCS12 -srcstorepass $PASSWORD -destkeypass $PASSWORD -deststorepass $PASSWORD -srckeypass $PASSWORD

The problem is with the last command, it returns:

keytool error: java.io.IOException: keystore password was incorrect

And don't understand why since the password is always the same for all of it.

CodePudding user response：

While trying to manually run the import command, like this...

keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
  -destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
  -srcstorepass password123

I received the following exception:

Importing keystore bundle.p12 to keystore.jks...
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221)
        at java.base/java.security.KeyStore.load(KeyStore.java:1473)
        at java.base/sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:2318)
        at java.base/sun.security.tools.keytool.Main.doCommands(Main.java:1233)
        at java.base/sun.security.tools.keytool.Main.run(Main.java:415)
        at java.base/sun.security.tools.keytool.Main.main(Main.java:408)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.security.cert.CertificateParsingException: Empty subject DN not allowed in v1 certificate

That suggests that part of your problem may be that in your script you're not providing any values for the subject. If I fix that:

openssl req -new -key client2.key -out client2.csr -subj "/CN=example-client" \
  -passin pass:$PASSWORD -passout pass:$PASSWORD

The manual import command works without a problem:

$ keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
  -destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
  -srcstorepass password123
Importing keystore bundle.p12 to keystore.jks...
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
[Storing keystore.jks]

But the command in your script -- which differs in that it includes the -srckeypass and -destkeypass -- still fails:

Importing keystore bundle.p12 to keystore.jks...
keytool error: java.lang.Exception: if alias not specified, destalias and srckeypass must not be specified

If you remove the -srckeypass option from your script, it works as expected.