密钥工具错误:java.io.IOException:密钥库密码不正确
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/44830270/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
keytool error: java.io.IOException: keystore password was incorrect
提问by Greg Dougherty
Created a Certificate for Tomcat, trying to get it installed in new keystore, and getting error (Edit: ran it with -v option, now getting more info):
为 Tomcat 创建了一个证书,尝试将其安装在新的密钥库中,但出现错误(编辑:使用 -v 选项运行它,现在获取更多信息):
keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
at java.security.KeyStore.load(KeyStore.java:1445)
at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:1894)
at sun.security.tools.keytool.Main.doImportKeyStore(Main.java:1926)
at sun.security.tools.keytool.Main.doCommands(Main.java:1021)
at sun.security.tools.keytool.Main.run(Main.java:340)
at sun.security.tools.keytool.Main.main(Main.java:333)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.io.IOException: getSecretKey failed: Password is not ASCII
Sadly, it's correct, the passphrase has two "?". So, given what I've done (the private key has the non-ASCII password), how much of a pain will it be to recover from this?:
可悲的是,它是正确的,密码有两个“?”。因此,鉴于我所做的(私钥具有非 ASCII 密码),从中恢复会有多少痛苦?:
1: Create a passphrase file: vi .kp
2: Make CSR:
A: Generate a 2048 bit private key:
openssl genpkey -algorithm RSA -outform PEM -out mike.privateKey.pass.pem -pkeyopt rsa_keygen_bits:2048 -pass file:.kp
B: Make the CSR:
openssl req -new -sha256 -key mike.privateKey.pass.pem -out mike.ike.com.cert.csr
Note: CSR has different "challenge password" than in the passphrase file, if that matters
3: Submit CSR to Comodo
4: Get certificate file mike_ike_com.cer & Comodo trust chain files: COMODORSAOrganizationValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, AddTrustExternalCARoot.crt
5: Convert the Certificates:
A: Convert to PEM:
openssl x509 -inform DER -in COMODORSAOrganizationValidationSecureServerCA.crt -out COMODORSAOrganizationValidationSecureServerCA.pem -outform PEM
openssl x509 -inform DER -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem -outform PEM
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem -outform PEM
B: Concat into a single file:
cat COMODORSAOrganizationValidationSecureServerCA.pem COMODORSAAddTrustCA.pem AddTrustExternalCARoot.pem > Comodo.root.crt
C: Use openssl to create a pkcs12 file:
openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kp -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt
Note: when it asks "Enter Export Password" I give it the pw from .kp
6: Use keytool to create the keystore file:
$JAVA_HOME/bin/keytool -importkeystore -deststorepass:file .kp -destkeypass:file .kp -destkeystore .keystore -srckeystore mike_ike.p12 -srcstoretype PKCS12 -srcstorepass:file .kp -alias tomcat
The file ".keystore" does not exist. I am assuming that keytool will create it
文件“.keystore”不存在。我假设 keytool 会创建它
回答by Greg Dougherty
Ok, so I have an answer.
好的,所以我有了答案。
1: I had a non-ASCII character in the password. openssl can handle that, keypass can't.
1:我的密码中有一个非 ASCII 字符。openssl 可以处理,keypass 不能。
2: Having created the private key with the non-ASCII password, I'm stuck with it, so I renamed that file .kpkey, and created a new .kp file with a pure ASCII password
2:使用非 ASCII 密码创建私钥后,我坚持使用它,所以我将该文件重命名为 .kpkey,并使用纯 ASCII 密码创建了一个新的 .kp 文件
3: This required a change to 5:C:
3:这需要更改为 5:C:
openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kpkey -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt
Note: when it asks "Enter Export Password" I give it the pw from .kp, NOT from .kpkey . The only change is -passin file:.kpkey
注意:当它询问“输入导出密码”时,我给了它来自 .kp 的密码,而不是来自 .kpkey 的密码。唯一的变化是-passin file:.kpkey
Everything else remains the same, and works
其他一切都保持不变,并且有效
回答by Anshul Sharma
I have got this sorted out. I was using my password that is 'password' to update cacerts keystore in JDK while default password for cacerts keystore is 'changeit'
我已经解决了这个问题。我使用我的密码“password”来更新 JDK 中的 cacerts 密钥库,而 cacerts 密钥库的默认密码是“changeit”
