Develop Reference

KeyStore API throws error : java.security.KeyStoreException: BCFIPS JKS store is read-only and only supports certificate entries

I have created a JKS trust-store for an application. (PKCS12 is not yet supported by the OpenJDK in production server)
I am trying to add a certificate to the truststore using the KeyStore API:
public addToTrustStore(List<String> certChain) {
String alias;
try {
KeyStore keyStore = loadTruststore();
for (String cert : certChain) {
alias = UUID.randomUUID().toString();
X509Certificate certificate = decodePEMCertificate(cert); // converts PEM format to X509Certificate
keyStore.setCertificateEntry(alias, certificate);
logger.debug("Added the certificate with DN: {0} to the "
+ "truststore with the alias: {1}", certificate.getSubjectDN());
}
} catch (KeyStoreException a) {
//process execption
}
}
Can anyone help me get past this red-only nature of this JKS?
Thanks in advance.

Solution:
Summary : Bouncycastle doesn't permit write to JKS keystores. So we need to use BCFKS format keystore.
You can use the providers:
org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider, for FIPS compliance
org.bouncycastle.jce.provider.BouncyCastleProvider
The keytool commands that worked for me:
Create keystore:
keytool -import -file pem.cert -alias "vmware" -storepass changeit -keystore truststore.bks -deststoretype BCFKS -noprompt -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar
Delete an entry:
keytool -delete -alias boguscert -storepass changeit -keystore truststore.bks -storetype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar

KeyStore and TrustStore load failed - Private key must be accompanied by certificate chain

I have created a self signed certificate using the following command:
keytool -genkeypair -keyalg RSA -alias test-api -keystore test-api.p12 -storepass password -validity 3650 -keysize 2048 -storetype pkcs12
I then imported this keystore into new truststore:
keytool -import -trustcacerts -alias test-api-2018 -file test.crt -keystore trusted-keystore.p12 -storetype pkcs12
In Java, creating a custom SSL store provider (org.springframework.boot.context.embedded.SslStoreProvider). As a part of it, loaded keystore and truststore using the following Java code:
try {
try (final InputStream keyStoreStream = new ByteArrayInputStream(Base64.decode(keyStoreEncoded))) {
keyStore = KeyStore.getInstance(KEYSTORE_TYPE_PKCS12);
LOGGER.info("Loading a KeyStore object based on the decoded value.");
keyStore.load(keyStoreStream, serverSslKeyPassword.toCharArray());
}
....
trustStore.load(trustStoreStream, serverSslTrustStorePassword.toCharArray());
}
Created custom implementation of EmbeddedServletContainerCustomizer and set SSL Provider:
public void customize(final ConfigurableEmbeddedServletContainer configurableEmbeddedServletContainer) {
configurableEmbeddedServletContainer.setSslStoreProvider(awsSslStoreProvider);
}
Application fails to start because of the following error:
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:253)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
... 19 common frames omitted

I just jad this problem to today, the problem occurs when the security config in the application.properties file isnt configured properly, this causes the certificate chain to break.
in my case i used
server.ssl.key-password=123456789
instead of
server.ssl.key-store-password=123456789
minor issues like this can cause issues.

This also happens when using BouncyCastle as PKCS12 key store provider and the key alias is using incorrect upper case.
E.g. (incorrect):
server.ssl.key-alias=17B2E92E5694C7AE11A65C4A4EBFC75558399E05
instead (correct):
server.ssl.key-alias=17b2e92e5694c7ae11a65c4a4ebfc75558399e05
The strange thing about this error is that the key is found, so obviously is not case sensitive, but the check for ks.getCertificateChain(keyAlias) is.

How to set up mySql JDBC connection with SSL

jdbc:mysql://localhost:3306/MyDb?verifyServerCertificate=true&useSSL=true&requireSSL=true
I downloaded the public certificate from the mySql server and put it into cacerts like this:
keytool.exe -import -alias mysql_dev \
-keystore /c/dev/tools/Java/jre1.8.0_131/jre/lib/security/cacerts \
-file rds-combined-ca-bundle.pem
I generated new keys using keytool like this:
keytool.exe -genkeypair -alias adam \
-keypass changeit \
-keysize 1024 \
-keystore /c/dev/.secure/haa2xt.jks \
-storepass changeit
So now I can see that Java is picking up both my key from the keystore and the server certificate from the truststore, but still I'm getting the PKIX error.
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to
find valid certification path to requested target
I added this debug param to the command line and got some more info which all looks good, and I can see the mySql certificate in there.
-Djavax.net.debug=all
trustStore is: c:\dev\tools\java\jdk1.8.0_131\jre\lib\security\cacerts
trustStore type is : jks
[.....]
keyStore is : C:/dev/.secure/haa2xt.jks
keyStore type is : jks
keyStore provider is :
init keystore
init keymanager of type SunX509
*** found key for : adam
What have I done wrong?

It turns out that the keytool import command will only import the first certificate in the PEM file when there are more than one.
This was the only one I checked for as well, so I thought it was fine when actually there were about 15 that I still hadn't imported.
I used this tool to import them all: https://github.com/use-sparingly/keyutil

Unable to load certificate chain to java keystore

I have a blah.p7b certificate type PKCS#7 which i want to import it to a java keystore using keytool in order to enable HTTPS on tomcat , i don't have the alias name and keystore when the certificate was generated i took it from the client whose want to enable https on our web-application server that they use, can this works without having the original alias name and keystore ?
when i tried to import the certificate i used this command
keytool -import -trustcacerts -file certificate.p7b -keystore keystore -storepass <mypasswd> -alias "myalias"
but it gives me this error
keytool error: java.lang.Exception: Certificate reply does not contain public key for <mydomain>
Please help...

If you haven't got the original KeyStore you are hosed. You have to generate a new KeyStore, a new keypair, a new CSR, get it signed, and then import the signed cert and its chain into the KeyStore using the same alias as the keypair.

java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password?

I'm using Not-yet commons SSL to develop my own TLS Socket.
But always got No private keys found in keystore on following code
private SSLServer sslS=null;
//...
sslS=new SSLServer();
KeyMaterial km=new KeyMaterial(certChain, privateKeyFile, certPassword.toCharArray(), privateKeyPassword.toCharArray());
The certChain used original JRE's cacert:
C:/Program Files/Java/jre1.8.0_101/lib/security/cacerts
This give me a java.security.KeyStoreException: No private keys found in keystore!
The certChain used my own:
keytool -certreq -alias 127.0.0.1 -keystore ServerKey.jks -file 127.0.0.1.csr
This give me a java.security.KeyStoreException: failed to extract any certificates or private keys - maybe bad password?
But I can 100% sure that my password is right. My password is a simple "123456", there is no reason I can do wrong on it.
The privateKey I generated by:
keytool -genkey -alias 127.0.0.1 -keyalg RSA -keystore ServerKey.jks -keysize 2048
How can I solve this problem, any suggestion ?