java keystore cannot recover key

1
votes

None of the answers on this topic in the forum sufficiently address this problem when recommendations don't work. i.e. I have a application that is processing PKI certs. This app has been working fine until my certificate expired and I had to obtain a new one. I replaced the certificate as follows:

keytool -v -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 - srcalias [alias name] -destkeystore keystore.jks -deststoretype JKS -deststorepass changeit -destalias [alias name]

When I tried to run app I got the "cannot recover key" exception, which I never got before. So I found the recommendations to run:

keytool -keypasswd -alias [alias name] -keystore keystore.jks

I gave it the store password and the cert password as prompted, but still received the same exception. Now what? I've been experimenting all afternoon and nothing seems to resolve the exception. And the stack trace doesn't provide anymore clues with debug on.

1
keystorejksrecover
For the new certificate you requested, did you create a new private key? Ideally you would use the same private key with an existing app, and once you the new certs you would run importcert command. - always_a_rookie
No. The private key is created and issued by our certificate issuer. We supply a pin that gets added to private key. I’ve never had to mess with changing private key because it has to be compatible with enterprise apps. - bbboomer54
Looks like when your certificate issuer issued a PKCS12, it created a new private key. And when you did the importkeystore, that will import the private key as well. Ideally what you would do is, create a PKCS#10 (CSR) from the existing private key and send the CSR to your certificate issuer, and get a certificate chain back. And then associate the received certificate chain to the existing private key using the importcert command. - always_a_rookie
I actually get a p12 certificate that includes the certificate chain - bbboomer54
It turns out that the problem wasn't with loading the KeyStore but rather a missing CA that wasn't provided by the service offerer. I turned on verbose ssl handshake debugging and discovered that my application was unable to validate the server because their server certificate was signed by a ROOT that was never provided. Once I got the ROOT CA from them, things worked. Thank you for you time providing suggestions and assistance. - bbboomer54

1 Answers

1
votes

I found out that when running the following (using jdk 1.8):

keytool -importkeystore -srckeystore pkcs12 -destkeystore jks -srcstoretype PKCS12

the password of the newly created entry in the JKS will default to the password which was used to protect the source PKCS12 keystore. Had to replace the entry password with "keytool -keypasswd" because my app expected the JKS "global" password and the entry password to be the same.