Invalid Keystore Format after creating a keystore and attaching a certificate to it
I am creating a keystore using OpenSSL using the following command :
openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ -out mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root
as per the documentation.
Now when I try to validate the keystore using keytool -list -v -keystore mycert.p12, I am getting an Invalid Keystore Exception.
Is this because I am using Apache implementation of creating a keystore?
Also a constraint I have is that I cannot use Java keytool to create a keystore although my Java program is using to keystore for FTPS transfer.
Use -storetype pkcs12 option with keytool.
keytool -list -v -keystore mycert.p12 -storetype pkcs12
By default, keytool assumes that the keystore type is JKS and if it's not, keytool fails. If using other keystore files (.p12 in your example), you need to explicitely give a store type using the mentioned method.
I solved this by removing Java 1.7 from my machine. This made the Java 1.8 keytool the only available keytool. Since the Java 1.8 keytool supports pkcs12, the command worked.
Here is how to remove Java 1.7 (on Windows 10 OS):
- go to Windows Settings => Apps & Features
- find all apps containing Java 1.7 or Java 7 in their name
- click on the app name and select Uninstall
- follow the uninstallation wizard for each of them
- remove Java 1.7 from PATH
Note: This might be achieved without uninstallation, only by placing the Java 1.8 path in the PATH variable before/above the path of Java 1.7, but I haven't tested this.