Java Keystore – Does the passwords have to be same everywhere?

If I set the password to ABC123 for all prompts then the ActiveMq works fine.

But if I try to play around with different password I get a execption.

Can someone tell me where the passwords has to be same and where it should differ for security reason. And then finally what would be the keystore password and truststore password.

Step 1:

keytool -import -alias "CA" -file /etc/puppetlabs/puppet/ssl/ca/ca_crt.pem -keystore truststore.jks  Enter keystore password: ABC123 

Step 2:

cat /etc/puppetlabs/puppet/ssl/private_keys/activemq.localhost.pem /etc/puppetlabs/puppet/ssl/certs/activemq.localhost.pem > temp.pem 

Step 3:

openssl pkcs12 -export -in temp.pem -out activemq.p12 -name activemq.localhost  Enter Export Password: XYZ123 

Step 4:

keytool -importkeystore -destkeystore keystore.jks -srckeystore activemq.p12 -srcstoretype PKCS12 -alias activemq.localhost  Enter destination keystore password: ABC123 Re-enter new password: ABC123 Enter source keystore password: XYZ123 

And then I try to use this sslContext.

<sslContext>     <sslContext       keyStore="/etc/activemq/keystore.jks"       keyStorePassword="ABC123"       trustStore="/etc/activemq/truststore.jks"       trustStorePassword="ABC123" /> </sslContext> 

But I get the following error. I even tried trustStorePassword as XYZ123 but still it fails.

Invocation of init method failed; nested exception is Cannot recover key 

Java KeyStore vs OpenSSL implementations of pkcs12 files -They seem to differ. Do they?

I generated a pkcs12 keystore in Java and wanted to inspect it with OpenSSL, but OpenSSL threw back an error. After a bit of head scratching I realized that the KeyStore format in Java allows you to have different passwords on the store itself and the pkcs8 encrypted key inside, while OpenSSL seems to assume that both passwords have to be the same. I can easily inspect a pkcs12 file created in Java if both the file and key passwords are the same, but get an error when they differ:

Bag Attributes     friendlyName: usercert     localKeyID: 54 69 6D 65 20 31 35 38 38 30 32 32 30 31 38 30 37 31  Error outputting keys and certificates 139815467680960:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139815467680960:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:62: 139815467680960:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:93:  

Have I missed something or is it correct to say that the pkcs12 impementations differ slightly?

I’m looking for a way to be able to inspect pkcs12 files with OpenSSL where the two passwords differ. Any help would be appreciated.

Convert private SSL certificate to PKCS12 format for JKS Keystore [migrated]

I got the following files from company certificate provider. XX_Inc_Private_Root_CA.base64.cer XX_Inc_Private_Root_CA.crt XX_Inc_Private_SSL_CA.509.cer XX_Inc_Private_SSL_CA.509.pem 

Here is the two commands I run to convert:

openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:changeit' -inkey -in XX_Inc_Private_Root_CA.base64.cer  error message: No certificate matches private key    openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:changeit' -inkey -in XX_Inc_Private_SSL_CA.509.cer  error message: unable to load certificates  

What is the right way to do it?

Can I use the same truststore and keystore on the client and the server?

TL;DR: Is it possible to have both sides of a SSL/TLS connection have the same public and private key, so long as that public key is trusted by both sides?

More info if helpful:

I’m trying to test how I’d setup having Java application connecting to Kafka 2.1. I am using the same keystore and truststore for the Kafka cluster and the Java application, meaning both sides of the connection have the same public and private key. I understand this is not good practice, I just wanted to verify I understood how to configure things.

I can set

listeners=PLAINTEXT://localhost:9092,SSL://localhost:9093 # This is the config style for 2.3 # listeners=HTTP://localhost:9092,HTTPS://localhost:9093 ssl.keystore.location=/path/to/kafka.keystore.jks ssl.keystore.password=test  ssl.truststore.location: /path/to/kafka.truststore.jks ssl.truststore.password: test  ssl.key.password=test 

a bunch of properties in Kafka to enable TLS/SSL authentication. I feel confident that I’ve made the truststore and keystore correctly, where the truststore contains the 1 public key that the java side and the kafka side are using. I’ve done the same on the java side, roughly following a GitHub example.

I can’t get any connection going, and I am trying to remove possibilities for why. Could this be because both sides of the connection have the same public and private key?

Can a PKCS12 keystore be FIPS compliant?

Is it possible to generate a PKCS12 keystore that will be FIPS compliant? In regular mode, I’m using "1.2.840.113549." - pbeWithSHAAnd3-KeyTripleDES-CBC(3) algorithm to encrypt private keys, while leaving the certificate bags unencrypted. However it seems that this algorithm is not approved for FIPS, so I need to switch to something different. I figured that I can use "2.16.840." - aes256-CBC(42) and also PBKDF2 to calculate MAC, but so far I’m having problems with the code and I’m not sure if it is supposed to work that way. So, is it even possible to have PKCS12 keystores FIPS compliant, or am I simply doing something wrong and need to fix my code? Google gives me contradictory answers and I’m not sure which is correct.

Does Windows CNG Keystore supports exporting a key or keypair in ciphertext?

As Windows CNG Keystorage offers API to export key(pair)s:

SECURITY_STATUS NCryptExportKey(   /* The handle of the key(pair) to export */   NCRYPT_KEY_HANDLE hKey,   /* The handle of a key to encrypt exported key(pair) */   NCRYPT_KEY_HANDLE hExportKey,   LPCWSTR           pszBlobType,   NCryptBufferDesc  *pParameterList,   PBYTE             pbOutput,   DWORD             cbOutput,   DWORD             *pcbResult,   DWORD             dwFlags ); 

It seems that the exported key blob could be encrypted with hExportKey, but I haven’t found any definition of the ciphertext format. For example, to export a DH keypair by setting parameter pszBlobType to BCRYPT_DH_PRIVATE_BLOB, the mannual just ambiguously said

Export a Diffie-Hellman public/private key pair. The pbOutput buffer receives a BCRYPT_DH_KEY_BLOB structure immediately followed by the key data.

And the BCRYPT_DH_KEY_BLOB is defined as follows:

typedef struct _BCRYPT_DH_KEY_BLOB {   ULONG dwMagic;//BCRYPT_DH_PUBLIC_MAGIC or BCRYPT_DH_PRIVATE_MAGIC   ULONG cbKey;//The length, in bytes, of the key } BCRYPT_DH_KEY_BLOB, *PBCRYPT_DH_KEY_BLOB; 

As the above structure is a header followed by the real data in contigious memory, the BCRYPT_DH_PRIVATE_BLOB (also the key data mentioned before) is composed as

BCRYPT_DH_KEY_BLOB Modulus[cbKey] // Big-endian. Generator[cbKey] // Big-endian. Public[cbKey] // Big-endian. PrivateExponent[cbKey] // Big-endian. 

Now I wonder that:

As Keystore does not support the generation and storage of symmetric keys, is the parameter hExportKey of NCryptExportKey really valid?

If yes:

  1. Where does the exportKey come from?

  2. What format would the BCRYPT_DH_PRIVATE_BLOB be encrypted to? Just a unreadable blob with about cbKey*4 bytes?

Error while loading Android Keystore

I am currently experiencing a problem with the use of Keystore on Android.

My current situation is as follows: I want to store certificates in a custom format in the Keystore. For that, I created a class that extends the Certificate class of Java :

   public class KCert extends Certificate 

Therefore, I can store and retrieve these new objects in the Keystore without problems when it is already initialized :

   KCert poCert = (KCert) ksm.getCertificate("POCERT"); 

or like this :

   Certificate poCert = ksm.getCertificate("POCERT"); 

(“ksm” stands for KeystoreManager, it’s just an interface I’ve developed to easily manipulate Keystore objects)

The difficulty appears when I try to load a Keystore file containing this type of certificate. The system throws : KCert not found 

And so the Keystore can not be initialized.

My question is: is it possible to store certificates with a custom type in a Keystore file and load them when launching the application? If so, what should be implemented to make it work? (Since the Keystore seems to handle this type of certificate correctly when it is already initialized).

Thank you in advance !

Android KeyStore key storage

How are RSA private keys stored within the Android KeyStore (on devices that do not have a secure hardware element) protected ? Are they encrypted using some form of Password Based Encryption based on a user supplied password ? Or are they encrypted using some sort of operating system “master” key ? The examples within the Android documentation do not seem to specifying any kind of password when storing/accessing the keys within the Keystore.


intermidiate certificate not in keystore even though i added it

I was tasked to set up an ssl in a server, this server uses wildfly, so i have to make a keystore that contains all of the certificates that i got, the server certificate, the intermidiate and the keyfile, first i chained up the server cert and the intermidiate cert, and then i used openssl to create a pkc12 file and then i used keytool to create a keystore from that pkc12 file, the problem is when i open the keystore file or the pkc12 file, it find that it doesn’t contain the intermidiate cert, it only has the server cert, which is weird, because i’ve done this procedure before and it worked, any one knows what can the problem be ? Extra info : the intermidiate certificate is a little old (from 2010) and uses sha1 and will expire in 9 months which is weird, unlike my server cert which is new and uses sha256.

Please help, Thank you,

keytool error: java.lang.Exception: Public keys in reply and keystore don’t match

This is about how to import a SSL Certificate provided vendor to Tomcat Web Server.

Note: The CSR generated on Network balancer and the certificate is generated based on the provided CSR.

Can someone help me with the steps to how to import the certificate (.cer) to the tomcat server.

as i said the csr is generated on loadbalancer , I think it is conflicting. How to make the cert work and Import on tomcat?