Closed aleknasz closed 1 year ago
I have managed to generate such keystore that it is possible to open with KeyStore Explorer. For that I had to use:
keytool -genkey -storepass changeit -keypass changeit -dname "CN=SOMETHING" -alias key -keystore truststore.jks -J-Duser.language=en -keyalg DSA -keysize 1024
Of course such key size is not recommended anymore as it can be compromised easily.
I was able to fix that on Mac by editing the /Applications/KeyStore Explorer.app/Contents/Info.plist and adding
<string>-Dcrypto.policy=unlimited</string>
to
<key>JVMOptions</key>
option
@aleknasz -Dcrypto.policy=unlimited
should only be necessary for very old Java 8 versions as since Java 8 Update 161 (released 2018) unlimited crypto policy is always active.
OK. But the problem exists on Windows anyway.
I was able to fix that by explicitly providing -storetype jks like:
keytool -genkey -storepass changeit -keypass changeit -dname "CN=SOMETHING" -alias key -keystore truststore.jks -J-Duser.language=en -keyalg DSA -storetype jks
The problem is your Java runtime, not KSE.
You have the following options:
For security reasons I strongly recommend the first option. Having a five year old Java runtime on your system that contains lots of security issues is rather concerning.
Describe the bug Create key store or PC12 with mix of openssl and keytool on platform using JDK11. Then run KeyStore Explorer with JRE1.8 and try to open keystore.
To Reproduce Steps to reproduce the behavior:
Expected behavior When you list the truststore.jks with keytool itself via -list option you will be able to see the actual content (of course you will be prompted for password during that process):
From my experience there might be also too weak encryption policy (Java by default has some limit on how long the keys of PKI can be - https://docs.cloudera.com/HDPDocuments/HDF3/HDF-3.3.0/nifi-security/content/java-cryptography-extension-jce-limited-strength-jurisdiction-policies.html or something like this)
Environment