So I have this old keystore (mykeystore.p12) with a certificate that expires any day now + some other keys that I need to keep.
Then I got this new certificate.txt + privatekey.txt + bundle.txt from my CA. From what I can find I need to import all these files into a new keystore and then import the new keystore into my old keystore. (I tried importing it to my old keystore straight away but it wrote over the old store).
So to create the new keystore I do this:
openssl pkcs12 -export -in certificate.txt -inkey privatekey.txt -out newkeys.p12 -name com -CAfile bundle.txt -caname root
The newkeys.p12 works if I try to use it, but it is missing all my old keys that I still need so then to import it to my current old keystore (that worked fine but certificate expires) I do this:
keytool -importkeystore -deststorepass PASSWORD -destkeystore mykeystore.p12 -srckeystore newkeys.p12 -srcstoretype PKCS12 -srcstorepass PASSWORD -alias com
But then it all stops working and I can't even start my webapp because I get this error:
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:934) ~[spring-context-5.3.4.jar!/:5.3.4]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:585) ~[spring-context-5.3.4.jar!/:5.3.4]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:144) ~[spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:767) [spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:759) [spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:426) [spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:326) [spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1311) [spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1300) [spring-boot-2.4.3.jar!/:2.4.3]
at com.aquaass.aquadb.AquaassApplication.main(AquaassApplication.java:17) [classes!/:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_275]
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_275]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_275]
at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_275]
at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:49) [aquadb.jar:na]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:107) [aquadb.jar:na]
at org.springframework.boot.loader.Launcher.launch(Launcher.java:58) [aquadb.jar:na]
at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:88) [aquadb.jar:na]
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Jetty server
at org.springframework.boot.web.embedded.jetty.JettyWebServer.start(JettyWebServer.java:194) ~[spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) ~[spring-boot-2.4.3.jar!/:2.4.3]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-5.3.4.jar!/:5.3.4]
... 23 common frames omitted
Caused by: java.security.UnrecoverableKeyException: Private key not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:338) ~[na:1.8.0_275]
at java.security.KeyStore.getKey(KeyStore.java:1023) ~[na:1.8.0_275]
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145) ~[na:1.8.0_275]
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70) ~[na:1.8.0_275]
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256) ~[na:1.8.0_275]
at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1243) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.ssl.SslContextFactory$Server.getKeyManagers(SslContextFactory.java:2267) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) ~[jetty-server-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.springframework.boot.web.embedded.jetty.SslServerCustomizer$SslValidatingServerConnector.doStart(SslServerCustomizer.java:265) ~[spring-boot-2.4.3.jar!/:2.4.3]
at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) ~[jetty-util-9.4.36.v20210114.jar!/:9.4.36.v20210114]
at org.springframework.boot.web.embedded.jetty.JettyWebServer.start(JettyWebServer.java:174) ~[spring-boot-2.4.3.jar!/:2.4.3]
... 25 common frames omitted
Caused by: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
at sun.security.util.ObjectIdentifier.<init>(ObjectIdentifier.java:285) ~[na:1.8.0_275]
at sun.security.util.DerInputStream.getOID(DerInputStream.java:320) ~[na:1.8.0_275]
at com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:267) ~[sunjce_provider.jar:1.8.0_275]
at java.security.AlgorithmParameters.init(AlgorithmParameters.java:293) ~[na:1.8.0_275]
at sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:137) ~[na:1.8.0_275]
at sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:119) ~[na:1.8.0_275]
at sun.security.x509.AlgorithmId.parse(AlgorithmId.java:393) ~[na:1.8.0_275]
at sun.security.pkcs.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:80) ~[na:1.8.0_275]
at sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:327) ~[na:1.8.0_275]
... 46 common frames omitted
At first I thought there might be some conflict between the private keys, that they were in different formats so that there was some conflict or something (since they only don't work when they are all in the same keystore), but it appears they are all RSA 2048. So now I must think I am importing it wrong, but this is how it is done according to my research online so I'm stumped and kind of in a hurry to solve this. My CA was nice enough to generate a new cert but still the same problem so I'm leaning towards the import going wrong or something.
It doesn't seem to matter if I import the new keystore to my oldkeystore or the other way around, still the same problem. Why do I get this error? Please help!
Edit 1: Now I even tried to generate a new keypair (99% sure I did it exactly like last year) in my own working keystore and then exported a signing request (.csr) which I got signed. I then imported the new signed cert and bundle to that keypair alias but still I get this same error!
Command for generating new keypair and cert:
keytool -genkey -alias com -keystore mykeystore.p12 -storetype PKCS12 -keyalg RSA -storepass PASSWORD -validity 366 -keysize 2048
Command for exporting csr:
keytool –keystore mykeystore.p12 –certreq –alias com –keyalg rsa –file sign-request.csr
Edit 2: Info on keystores in different stages:
mykeystore.p12 -info:
MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
newkey.p12 -info:
MAC Iteration 2048
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
Certificate bag
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
merged mykeystore.p12 -info:
MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
And this is the original keystore (from edit 1) where I created the keys
+ csr and imported signed cert (I thought I generated the keys the same
way as last year but it appears maybe not):
MAC Iteration 100000
MAC verified OK
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 50000
Shrouded Keybag: PBES2, PBKDF2, AES-256-CBC, Iteration 10000, PRF hmacWithSHA256
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 50000
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Certificate bag
Edit 3:
java version "1.8.0_241"
Java(TM) SE Runtime Environment (build 1.8.0_241-b07)
Java HotSpot(TM) 64-Bit Server VM (build 25.241-b07, mixed mode)
Okay, it finally develops you are on Windows and have tried to move and change parts of the installed Java. Since you apparently have the updater, I assume you used the Oracle executable installer (for JRE, or for JDK containing 'public' JRE), rather than the tgz 'installer' (really just an archive) for JRE or Server-JRE.
Copying pieces of Java around, especially on Windows, is not supported. Java utilities like keytool rmid javac jar jlink jconsole are provided as .exe files on Windows but those don't contain the actual functionality, they are only stubs that load and run Java code to do the actual functionality, and at least on Windows this code may sometimes be found not in the same directory but via the registry, which records where the installer put it, not any manual changes you made.
I suspect the Java Updater (which isn't part of Windows) did at least try to install an update to 8u301 or higher, and as a result you're now running a sort of Franken-Java with parts from at least two different versions, making it basically impossible to accurately predict or understand what it's doing.
You might look at controlpanel / Programs&Features (aka appwiz.cpl) to see what is recorded as installed, but if you have manually changed things this record may not be correct / complete.
I think you have 4 options:
restore this machine to a single proper version of Java below 8u301. Given your vague description the only method I have confidence is to remove everything you have now and start from scratch. (IIRC you can't actually exclude the updater from the .exe installer, but you can disable it, to prevent it getting you back into the same mess again. Or maybe use one of the tgz packages which doesn't have the updater.) If you have problems using standardly-installed Java, you might want to ask about that; I don't, and I see very few Qs from other people that do, and given the many Qs about other aspects of Java this strongly suggests that the standard install works for many people.
use a different machine that has, or on which you get, a proper version below 8u301. The machine running the app apparently has 8u275, which is probably an OpenJDK release because there appears to be no record of an Oracle 27x release other than 271; maybe you can use that. On Win 10 up, you could use WSL, which is actually a (small, convenient) virtual machine (that you could delete afterwards if you don't want to keep it).
use JKS format instead of PKCS12, if the nonstandard and somewhat lower security is acceptable. Java support of JKS was not changed like PKCS12 was, so even a mixed-up Java should produce a usable JKS.
upgrade the app-running machine (or environment e.g. container) to 8u301 or higher -- or maybe even 11 or 17, but there may be issues with Spring in moving to modular Java -- so it can handle PBES2. This is the best long-term solution; Java is conforming to an industry trend to move, although not uniformly, to better security, and if you stick in the past you will eventually (and perhaps abruptly) have more and more problems of this type.