Cert file creation - keystore type Adrian Game
    Cert file creation - keystore type Synametrics Support
        Cert file creation - keystore type Brian
            Cert file creation - keystore type Synametrics Support

From: Adrian Game
Date: 10/3/21 4:44 AM
Topic: Cert file creation - keystore type
Type: Installation
Post a follow up

Hi All,

For anyone trying to create a new cert with keytool following the instructions at https://www.xeams.com/new-cert-with-keytool.htm

Note that the latest keytool implementation (JDK 9) defaults keystores to pkcs12 and you need to change to a java using the additional option of {-storetype storetype} when first creating the keystore i.e. 

-storetype jks

If you have already created the keystore and need to convert use

keytool -importkeystore -srckeystore synametrics.pks -srcstoretype pkcs12 -destkeystore synametrics.cert -deststoretype jks -deststorepass [PASSWORD]

If you don't there will be a failure to start Xeams after the reboot.

I hope this helps others that are having similar issues to me.
Top

From: Synametrics Support
Date: 10/3/21 10:39 AM
Topic: Cert file creation - keystore type
Type: Installation
Post a follow up

Adrian,

Thank you very much for posting this tip. However, Xeams can accept both formats: JKS as well as PKCS12. Therefore, you have two choices:

  • Convert the cert to JKS as you recommended above, OR
  • Using Xeams web interface, specify the format as PKCS12. See image below.

 

Top

From: Brian
Date: 10/17/21 12:52 PM
Topic: Cert file creation - keystore type
Type: Installation
Post a follow up

Thanks Adrian!

After many many unfruitful hours of testing, trying, and chasing error logs, I was beginning to arrive at this same conclusion. Forcing the keystore to the JKS type solved my issues as well!

Synametrics support: I have not been successful in getting a PCKS12 keystore to work. Either by creating the keystore as a default PCKS12 type, or migrating a known good JKS keystore to PCKS12. The following error always occurs:

2021-10-17 10:36:03,994 ERROR http11.Http11Protocol - Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]
java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:792)

This is on build 6201, using the Synametrics VM package.

I'm not concerned at this point as the JKS keystore will work fine for my needs, despite being deprecated for security risks. It might be worth a look to see if your devs can reproduce the issue. I'd also suggest an enhancement to validate the new keystore and credentials in the UI when the user changes the cert keystore. This would save dozens of hours of frustrating application restarts.

Top

From: Synametrics Support
Date: 10/18/21 9:28 AM
Topic: Cert file creation - keystore type
Type: Installation
Post a follow up

Brian,

PKCS12 definitely works in Xeams. In fact, a certificate from Let's Encrypt uses PKCS12.

If you like, call our support department and we can help you get the PKCS12 cert working.

Top