Search code examples

Automating keystore with keytool and openssl

I have this script:


openssl genrsa -out client2.key 2048
openssl req -new -key client2.key -out client2.csr -subj "/C=/ST=/L=/O=/OU=/CN=/emailAddress=" -passin pass:$PASSWORD -passout pass:$PASSWORD
openssl x509 -req -in client2.csr -CA ./ca/ca.crt -CAkey ./ca/ca.key -CAcreateserial -out client2.crt -days 1825 -sha256
openssl pkcs12 -export -out bundle.p12 -in client2.crt -inkey client2.key -password pass:$PASSWORD
keytool -keystore truststore.jks -import -file ./ca/ca.crt -alias cacert -storepass $PASSWORD -keypass $PASSWORD -noprompt
keytool -destkeystore keystore.jks -importkeystore -srckeystore bundle.p12 -srcstoretype PKCS12 -srcstorepass $PASSWORD -destkeypass $PASSWORD -deststorepass $PASSWORD -srckeypass $PASSWORD

The problem is with the last command, it returns:

keytool error: keystore password was incorrect

And don't understand why since the password is always the same for all of it.


  • While trying to manually run the import command, like this...

    keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
      -destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
      -srcstorepass password123

    I received the following exception:

    Importing keystore bundle.p12 to keystore.jks...
    keytool error: keystore password was incorrect keystore password was incorrect
            at java.base/
            at java.base/
            at java.base/
            at java.base/
            at java.base/
            at java.base/
            at java.base/
    Caused by: failed to decrypt safe contents entry: Empty subject DN not allowed in v1 certificate

    That suggests that part of your problem may be that in your script you're not providing any values for the subject. If I fix that:

    openssl req -new -key client2.key -out client2.csr -subj "/CN=example-client" \
      -passin pass:$PASSWORD -passout pass:$PASSWORD

    The manual import command works without a problem:

    $ keytool -v -importkeystore -srckeystore bundle.p12 -srcstoretype pkcs12 \
      -destkeystore keystore.jks -deststoretype JKS -deststorepass password123 \
      -srcstorepass password123
    Importing keystore bundle.p12 to keystore.jks...
    Entry for alias 1 successfully imported.
    Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
    [Storing keystore.jks]

    But the command in your script -- which differs in that it includes the -srckeypass and -destkeypass -- still fails:

    Importing keystore bundle.p12 to keystore.jks...
    keytool error: java.lang.Exception: if alias not specified, destalias and srckeypass must not be specified

    If you remove the -srckeypass option from your script, it works as expected.