stackoom
  简体   繁体   中英

Java Keytool CSR error even when keystore exists

 原文  2017-08-02 11:16:57       java/ ssl/ certificate/ keystore/ truststore

Question

I would like to securely exchange data between my own servers and these will not leave the internal domain. For this, I would like to:

  1. Generate keys for keystore.

  2. Generate a CSR using Keytool, specify the key above.

  3. Import the response into my default cacerts file so that I can refer to that as my truststore.

So:

  1. First I generated keypair using the following (default Encryption algorithm):

keytool -genkeypair -alias mykeys -keystore mykeystore.jks -keypass changeit -storepass changeit -keysize 1024 -noprompt

  1. Then, I create a CSR using the following command:

keytool -certreq -alias myinternalcert -keystore mykeystore.jks -storepass changeit -file myinternalcert.csr

It throws the following error:

keytool error: java.lang.Exception: Alias <myinternalcert> does not exist

I tried to seek examples in Oracle's blog and looks like this is the way to correctly generate a CSR - but for my case it's all errors :)

The only thing i understand about the SSL so far is:

  1. Keystore - I want to authenticate myself to another server/client and my private key is in my keystore. I will also use this to sign my certificates.

  2. Trust store - this is to determine whether the information the information I am receiving is from a legit source ie do I trust them. I store certificates here.

2 answers

solution1
 0  2017-08-02 11:32:35

  1. You need to use the same alias when creating the CSR and importing the signed certificate that you used when generating the keypair.
  2. You should import the signed-certificate response into your keystore. Not your truststore. You don't trust the signed certificate, you own it, and it therefore belongs in your keystore . Your truststore is for other certificates that you trust.

solution2
 -1  2017-08-02 11:26:34

Okay - My own fault.

Actually the alias is the same alias created for keystore . thanks to this post on Digital Ocean

The keytool -certreq -help doesn't really print out clear information:

Options: 

 -alias <alias>                  alias name of the entry to process (should have been "Alias of the keystore entry being used")
 -sigalg <sigalg>                signature algorithm name
 -file <filename>                output file name
 -keypass <arg>                  key password
 -keystore <keystore>            keystore name
 -dname <dname>                  distinguished name
 -storepass <arg>                keystore password
 -storetype <storetype>          keystore type
 -providername <providername>    provider name
 -providerclass <providerclass>  provider class name
 -providerarg <arg>              provider argument
 -providerpath <pathlist>        provider classpath
 -v                              verbose output
 -protected                      password through protected mechanism

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question keytool error: java.lang.Exception: Keystore file exists, but is empty Java keytool error on keystore directory keytool error: java.io.IOException: Invalid keystore format keytool error: java.io.IOException: keystore password was incorrect Java Keytool stripping away SAN on CSR generation Renew certificate with Java Keytool - reuse old CSR? java keytool can export CSR but no import Java keytool doesn't like OpenSSL CSR Java Keytool for SSL: CSR Aliases, Keys and Keystores keytool error: java.lang.Exception: Keystore file does not exist: debug.keystore in React Native
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM