keytool -importkeystore seems no work

0
votes

In soapUI 5.1.3, I set the keystore to C:\ccc_acp.keystore in preferences > ssl settings, then I can connect to my target https server.

Then I run the following command in C:\Program Files\Java\jdk1.6.0_38\jre\lib\security>

keytool -importkeystore -srckeystore C:\ccc_acp.keystore -destkeystore .\cacerts

no any error and keytool return

Import command completed: 2 entries successfully imported, 0 entries failed or cancelled

then in soapUI 5.1.3, I set the keystore to C:\Program Files\Java\jdk1.6.0_38\jre\lib\security\cacerts, but when I connect to the same https server, it return SSLHandshakeException:Received fatal alert:handshake_failure.

why will this happen?

And in fact I feel some lost on the term, when said cert., is it mean public key? or private key? or both?

Could I import a private key in cacerts?

When run the keytoool command 

keytool -list -v -keystore .\cacerts

I see an entry with

Entry type: PrivateKeyEntry

this indicate it is a private key?

and an entry with

Entry type: trustedCertEntry

this indicate it is a public key? TrustedCert means public key only?

sorry that I am new to SSL.

1
sslsoapui
does .\cacerts have additional entries, on top of the two that you imported? compare keytool -list -v -keystore .\cacerts with keytool list -v -keystore C:\ccc_acp.keystoreicedtrees

1 Answers

0
votes

In soapUI 5.1.3, I set the keystore to C:\ccc_acp.keystore in preferences > ssl settings, then I can connect to my target https server.

Moment please. Is this a KeyStore, i.e. containing private keys, or just a truststore, i.e. just containing trusted certificates? Or to ask another way, is the server using a self-signed certificate?

Then I run the following command in C:\Program Files\Java\jdk1.6.0_38\jre\lib\security>

keytool -importkeystore -srckeystore C:\ccc_acp.keystore -destkeystore .\cacerts

no any error and keytool return

Import command completed: 2 entries successfully imported, 0 entries failed or cancelled

Curious thing to do, unless it is a truststore rather than a KeyStore, and the server is using a self-signed certificate. You'll have to tell us which.

then in soapUI 5.1.3, I set the keystore to C:\Program Files\Java\jdk1.6.0_38\jre\lib\security\cacerts, but when I connect to the same https server, it return SSLHandshakeException:Received fatal alert:handshake_failure.

You'll have to provide more information than that. The entire stack trace, for a start, preferably the output produced by setting -Djavax.net.debug=SSL,handshake

why will this happen?

Impossible to say without the extra information mentioned above.

And in fact I feel some lost on the term, when said cert., is it mean public key? or private key? or both?

Neither. A certificate is an identifying wrapper for a public key, either self-signed or signed by somebody else.

Could I import a private key in cacerts?

You don't want to. The cacerts file is a trustsfore, not a KeyStore. See above.

When run the keytoool command

keytool -list -v -keystore .\cacerts

I see an entry with

Entry type: PrivateKeyEntry

this indicate it is a private key?

Of course it does. It also indicates that you started with a KeyStore, not a truststore, as discussed above.

So everything you have done so far has been completely invalid.

You need to name the original file you started with as the KeyStore, leave the truststore to the default, which is the cacerts file provided with the JRE, not tampered with by you, and try it all again, without any use of the keytool at all.

and an entry with

Entry type: trustedCertEntry

this indicate it is a public key?

No, it indicates it is a trusted certificate.

TrustedCert means public key only?

No, see above.

sorry that I am new to SSL.

Very new. I don't know what you've been reading, or where you got all this nonsense, but it is all completely wrong. I suggest you forget it all and start again by reading the JSSE Reference Guide, thoroughly.