Tuesday, 13 September 2011

Use Windows path separators if you're using the JDK keytool in Windows - backslash "\" not forwardslash "/"

This error "keytool error: java.io.IOException: Keystore was tampered
with, or password was incorrect" may not really mean a password or
keystore problem.

Here's my story:

Kept trying various passwords to add a certificate to my JRE CA using
this command:

./keytool.exe -v -alias certalias -import -file <DomainRootCA>.crt
-keystore ../jre/lib/security/cacerts

And I kept getting

keytool error: java.io.IOException: Keystore was tampered with, or
password was incorrect
java.io.IOException: Keystore was tampered with, or password was incorrect
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:771)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at sun.security.tools.KeyTool.doCommands(KeyTool.java:715)
at sun.security.tools.KeyTool.run(KeyTool.java:172)
at sun.security.tools.KeyTool.main(KeyTool.java:166)
Caused by: java.security.UnrecoverableKeyException: Password verification failed
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:769)
... 5 more

I tried various passwords. My usual default passwords. "changeit" -
which is usually default for these certs. Nothing worked.

Then remembering how bad these java exceptions are, I changed the
keystore parameter, to see if it would complain about not seeing the
file.

Just remove the "s" from "cacerts"

[everything to the left of this is still the same] -keystore
../jre/lib/security/cacert

And still got the same error. Bloody JDK! So maybe it was failing
because it couldn't find the file, but it wasn't being shown in the
error message.

So I changed my path references to backlash "\" instead of "/", even
though I was doing all these under cygwin bash shell.

./keytool.exe -v -alias certalias -import -file <DomainRootCA>.crt
-keystore ..\jre\lib\security\cacerts

Using the first password I tried, "changeit"

And it worked.

The lesson:

1. JDK error messages suck!
2. When using keytool.exe on Windows, make sure your path separators
are "\" and not "/". The fact you're running under bash shell doesn't
affect it.
Remember: Use Windows-based path separators if you're using the JDK
keytool in Windows

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)