keytool error: java.io.IOException: keystore password was incorrect

Question

Created a Certificate for Tomcat, trying to get it installed in new keystore, and getting error (Edit: ran it with -v option, now getting more info):

keytool error: java.io.IOException: keystore password was incorrect
java.io.IOException: keystore password was incorrect
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
    at java.security.KeyStore.load(KeyStore.java:1445)
    at sun.security.tools.keytool.Main.loadSourceKeyStore(Main.java:1894)
    at sun.security.tools.keytool.Main.doImportKeyStore(Main.java:1926)
    at sun.security.tools.keytool.Main.doCommands(Main.java:1021)
    at sun.security.tools.keytool.Main.run(Main.java:340)
    at sun.security.tools.keytool.Main.main(Main.java:333)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: java.io.IOException: getSecretKey failed: Password is not ASCII

Sadly, it's correct, the passphrase has two "®". So, given what I've done (the private key has the non-ASCII password), how much of a pain will it be to recover from this?:

1: Create a passphrase file: vi .kp
2: Make CSR:
A: Generate a 2048 bit private key:
openssl genpkey -algorithm RSA -outform PEM -out mike.privateKey.pass.pem -pkeyopt rsa_keygen_bits:2048 -pass file:.kp
B: Make the CSR:
openssl req -new -sha256 -key mike.privateKey.pass.pem -out mike.ike.com.cert.csr
Note: CSR has different "challenge password" than in the passphrase file, if that matters
3: Submit CSR to Comodo
4: Get certificate file mike_ike_com.cer & Comodo trust chain files: COMODORSAOrganizationValidationSecureServerCA.crt, COMODORSAAddTrustCA.crt, AddTrustExternalCARoot.crt
5: Convert the Certificates:
A: Convert to PEM:
openssl x509 -inform DER -in COMODORSAOrganizationValidationSecureServerCA.crt -out COMODORSAOrganizationValidationSecureServerCA.pem -outform PEM
openssl x509 -inform DER -in COMODORSAAddTrustCA.crt -out COMODORSAAddTrustCA.pem -outform PEM
openssl x509 -inform DER -in AddTrustExternalCARoot.crt -out AddTrustExternalCARoot.pem -outform PEM
B: Concat into a single file:
cat COMODORSAOrganizationValidationSecureServerCA.pem COMODORSAAddTrustCA.pem AddTrustExternalCARoot.pem > Comodo.root.crt 
C: Use openssl to create a pkcs12 file:
openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kp -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt 
Note: when it asks "Enter Export Password" I give it the pw from .kp
6: Use keytool to create the keystore file:
$JAVA_HOME/bin/keytool -importkeystore -deststorepass:file .kp -destkeypass:file .kp -destkeystore .keystore -srckeystore mike_ike.p12 -srcstoretype PKCS12 -srcstorepass:file .kp -alias tomcat

The file ".keystore" does not exist. I am assuming that keytool will create it

Answer 1

Ok, so I have an answer.

1: I had a non-ASCII character in the password. openssl can handle that, keypass can't.

2: Having created the private key with the non-ASCII password, I'm stuck with it, so I renamed that file .kpkey, and created a new .kp file with a pure ASCII password

3: This required a change to 5:C:

openssl pkcs12 -export -in mike_ike_com.cer -inkey mike.privateKey.pass.pem -passin file:.kpkey -out mike_ike.p12 -name tomcat -caname root -chain -CAfile Comodo.root.crt 

Note: when it asks "Enter Export Password" I give it the pw from .kp, NOT from .kpkey . The only change is -passin file:.kpkey

Everything else remains the same, and works

Answer 2

I would like to add another possible cause:

This error message can be misleading because it also occurs when the keystore is in an unsupported format.

Answer 3

I have got this sorted out. I was using my password that is 'password' to update cacerts keystore in JDK while default password for cacerts keystore is 'changeit'

Answer 4

In our situation the Application Server was not opening the Keystore.p12 that was supplied by the application, but the generated KeyStore.p12 during startup. Both were in different (yet similar) paths but had different passwords.