在JKS中找不到私钥的详细信息

Question

I generated a JKS using this command:

keytool -genkey -alias $1 -keyalg RSA -keysize 2048 -sigalg SHA256withRSA -dname "CN=$3,OU=$4,O=$5,L=$6,S=$7,C=$8" -keypass $9 -keystore keystore.jks -storepass ${10} -validity 375

$1 to $10 all being variables stored in a file.

I then generated a CSR using this command.

keytool -certreq -alias mydomain -keystore keystore.jks -file mydomain.csr

I then applied for Digi sign CA cert. I received the below 4 certs which i imported in my JKS.

Alias, Filename and details below:

1. root AddTrustExternalCARoot.crt Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

2. inter USERTrustRSAAddTrustCA.crt Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE

3. inter_second DigiSignCADigiSSL.crt Owner: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US

4. mydomain mydomain_com.crt Owner: CN=mymac1.com, OU=Digi-SSL Xp, OU=Provided by Digi-Sign Limited, OU=Batel Affinity, O=Batel & Moss Group, L=Texas, ST=NJ, C=US Issuer: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE

Imported them in JKS using the below command:

keytool -import -v -alias "root" -file AddTrustExternalCARoot.crt -keystore keystore.jks 

keytool -import -v -alias "intermediate1" -file USERTrustRSAAddTrustCA.crt -keystore keystore.jks 

keytool -import -v -alias "intermediate2" -file DigiSignCADigiSSL.crt -keystore keystore.jks 

keytool -import -v -alias "USWL1212CONPERF01" -file mydomain_com.crt -keystore keystore.jks

When i set the JKS in weblogic i get this exception in WebLogic Server logs:

####<Jul 31, 2017 11:07:14 AM CDT> <Error> <WebLogicServer> <sysa5av> <ISIS01> <[ACTIVE] ExecuteThread: '34' for queue: 'weblogic.kernel.Default (self-tuning)'> <<WLS Kernel>> <> <> <1501517234413> <BEA-000297> <Inconsistent security configuration, weblogic.management.configuration.ConfigurationException: No identity key/certificate entry was found under alias mydomain in keystore /web/bea/mydomains/config/keystore.jks on server MS1.>

i tried changing my JKS to PKCS12 format so that i can see what my private key and alias is but that too failed with the below error:

keytool -v -importkeystore -srckeystore keystore.jks -srcalias certificatekey -destkeystore myp12file.p12 -deststoretype PKCS12

Problem importing entry for alias root: java.security.KeyStoreException: TrustedCertEntry not supported. 

i Then tried the java program here: keytool - see the public and private keys

But the output does not show any private keys. I used the alias mydomain. Could be the alias for the privatekey is wrong as it was populated using variables as shown in the first command of this post. What would be the solution in that case ? How could i retrieve the alias and the private key for the certificate that digisign gave me ?

If the alias is correct why am i getting error starting the weblogic server ?

Incase needed, I'm also sharing the output of

keytool -v -list -keystore keystore.jks

Enter keystore password:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 4 entries

Alias name: root
Creation date: Jul 31, 2017
Entry type: trustedCertEntry

Owner: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 1
Valid from: Tue May 30 06:48:38 EDT 2000 until: Sat May 30 06:48:38 EDT 2020
Certificate fingerprints:
         MD5:  1D:35:54:04:85:78:B0:3F:42:42:4D:BF:20:73:0A:3F
         SHA1: 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68
         SHA256: 68:7F:A4:51:38:22:78:FF:F0:C8:B1:1F:8D:43:D5:76:67:1C:6E:B2:BC:EA:B4:13:FB:83:D9:65:D0:6D:2F:F2
         Signature algorithm name: SHA1withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
[CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE]
SerialNumber: [    01]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
]



*******************************************
*******************************************


Alias name: mydomain
Creation date: Jul 31, 2017
Entry type: trustedCertEntry

Owner: CN=mymac1.com, OU=Digi-SSL Xp, OU=Provided by Digi-Sign Limited, OU=Batel Affinity, O=Batel & Moss Group, L=Texas, ST=NJ, C=US
Issuer: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE
Serial number: 6f70e9e8abce2003529156bf5cb98a1f
Valid from: Sun Jul 16 20:00:00 EDT 2017 until: Tue Jul 17 19:59:59 EDT 2018
Certificate fingerprints:
         MD5:  9A:F1:62:71:C4:02:C2:C1:64:87:84:A2:07:EA:1A:07
         SHA1: A0:BF:8A:61:D7:AE:82:A6:EE:4B:EB:E0:22:19:73:2E:FC:85:F8:AC
         SHA256: 56:1D:22:04:4B:E5:9D:09:1E:0C:FD:36:33:0B:E7:49:DB:C0:37:2D:93:24:F1:B1:8B:6E:27:D5:D9:76:3D:59
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.usertrust.com/DigiSignCADigiSSL.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 78 29 0F AE CD 90 2C C0   DC D2 7A D4 9B 5F 9C 45  x)....,...z.._.E
0010: E0 88 A8 2C                                        ...,
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/DigiSignCADigiSSL.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.9]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 19 68 74 74 70 73 3A   2F 2F 63 70 73 2E 75 73  ..https://cps.us
0010: 65 72 74 72 75 73 74 2E   63 6F 6D                 ertrust.com

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#8: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: mymac1.com
  DNSName: www.mymac1.com
]

#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 3F 71 B1 50 5A 94 A7 0E   4E 1C B6 7E 6D 06 43 90  ?q.PZ...N...m.C.
0010: 90 5F 86 AF                                        ._..
]
]



*******************************************
*******************************************


Alias name: intermediate2
Creation date: Jul 31, 2017
Entry type: trustedCertEntry

Owner: CN=Digi-Sign CA Digi-SSL, O=Digi-Sign Limited, L=Dublin, ST=County Dublin, C=IE
Issuer: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Serial number: 1b3249d255747b4e23feb384e5cdcab5
Valid from: Thu Nov 06 19:00:00 EST 2014 until: Wed Nov 06 18:59:59 EST 2024
Certificate fingerprints:
         MD5:  71:BC:96:90:5B:38:8F:01:4C:32:90:06:90:D3:CF:51
         SHA1: 70:60:8B:40:D0:B7:76:17:4A:4E:D8:54:16:58:27:70:B3:07:B9:05
         SHA256: EC:0E:91:6E:74:AB:F1:50:D7:26:9B:A8:85:AE:6C:74:1E:48:78:55:CF:DD:00:21:B1:F9:25:0E:0F:02:40:A4
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: caIssuers
   accessLocation: URIName: http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
,
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z.+J.T.......
0010: B2 03 66 CB                                        ..f.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:0
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/USERTrustRSACertificationAuthority.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [1.3.6.1.4.1.6449.1.2.2.9]
[]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

#6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#7: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 78 29 0F AE CD 90 2C C0   DC D2 7A D4 9B 5F 9C 45  x)....,...z.._.E
0010: E0 88 A8 2C                                        ...,
]
]



*******************************************
*******************************************


Alias name: intermediate1
Creation date: Jul 31, 2017
Entry type: trustedCertEntry

Owner: CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US
Issuer: CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE
Serial number: 13ea28705bf4eced0c36630980614336
Valid from: Tue May 30 06:48:38 EDT 2000 until: Sat May 30 06:48:38 EDT 2020
Certificate fingerprints:
         MD5:  DB:78:CB:D1:90:95:27:35:D9:40:BC:80:AC:24:32:C0
         SHA1: EA:B0:40:68:9A:0D:80:5B:5D:6F:D6:54:FC:16:8C:FF:00:B7:8B:E3
         SHA256: 1A:51:74:98:0A:29:4A:52:8A:11:07:26:D5:85:56:50:26:6C:48:D9:88:3B:EA:69:2B:67:B6:D7:26:DA:98:C5
         Signature algorithm name: SHA384withRSA
         Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.usertrust.com
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AD BD 98 7A 34 B4 26 F7   FA C4 26 54 EF 03 BD E0  ...z4.&...&T....
0010: 24 CB 54 1A                                        $.T.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl.usertrust.com/AddTrustExternalCARoot.crl]
]]

#5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.5.29.32.0]
[]  ]
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_CertSign
  Crl_Sign
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 53 79 BF 5A AA 2B 4A CF   54 80 E1 D8 9B C0 9D F2  Sy.Z.+J.T.......
0010: B2 03 66 CB                                        ..f.
]
]



*******************************************
*******************************************

Please Suggest & let me know if you need more information.

Answer 1

It doesnt looks like you added the public certificates from CA to the same keystore.jks file.

Can you try to run keytool with just the list command without verbose option?

keytool -list -keystore keystore.jks -storepass <your storepass>