This is the sequence of commands I tried:
a. Extract an existing certificate key from the store:
keytool -v -importkeystore -srckeystore keystore -srcalias one -destkeystore temppp -deststoretype PKCS12 -srcstorepass passwordd -deststorepass passwordd
b. Extract the private key from the exported certificate:
openssl pkcs12 -in temppp -out csr_private.key -nocerts -nodes -password pass:passwordd
c. Generate csr using extracted key:
openssl req -nodes -sha256 -new -key csr_private.key -out request.csr -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla/OU=Bla/CN=BLAAAA'
d. Generate a self-signed certificate and key:
openssl req -x509 -newkey rsa:2048 -keyout ca_key.pem -nodes -sha512 -days 4096 -subj '/C=IL/ST=Unknown/L=Unknown/O=Bla Bla/OU=BLA/CN=FOOO' -out ca.pem
e. Sign the csr with the self-signed certificate:
openssl x509 -in request.csr -out signed_cert.pem -req -signkey ca_key.pem -days 1001
f. Export the signed certificate and csr key to one p12 file:
openssl pkcs12 -export -in signed_cert.pem -inkey csr_private.key -out file.p12 -name "one"
Result:
No certificate matches private key
- What am I missing? Why isn't my last command legitimate?
- I planned to do "keytool -importkeystore" file.p12 (that should have been generated in the last step) to replace the "one" privateKeyEntry in "keystore". As suggested in How to import an existing x509 certificate and private key in Java keystore to use in SSL?.
Basically I'm trying to edit that entry to have the same key, but a different certificate.
Best Answer
The fix is to add "-nodes" to the last command (f).
In the second command that key was exported with "-nodes" (no DES encryption), and it should be the same in the last command too.