I am trying to convert a standard PKCS #12 (.p12) key store into a Java JKS key store with this command:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks
It is failing with:
keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
Do you have any idea how to solve this problem?
Sometimes this error is symptomatic of using an incorrect password for the p12 key.
The pkcs12 keystore was corrupt indeed.
I've never attempted to do this before, but I did find instructions on google here.
This thread asks a similar question.
EDIT (Based on comment)
Here is the full content of the linked reference:
PFX/P12 to JKS (Java KeyStore)
Question: How do I move a certificate from IIS / PFX (.p12 file) to a JKS (Java KeyStore)?
Answer: keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME
Note: To find the srcalias, list the contents of the PFX/P12 file:
keytool -v -list -storetype pkcs12 -keystore PFX_P12_FILE > FILENAME.TXT As this writes the output of the command to a file with the name of FILENAME.TXT.
I had the same issue today(BadPaddingException). It seems keytool had a problem with certain characters in the password. I solved it by adding double-quotes around the password.
keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass "PFX_P12_FILE" -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass "PASSWORD" -destalias ALIAS_NAME
I did this command (opposite to yours) to export a private key to PKCS12 from a JKS:
keytool -importkeystore -srckeystore DemoIdentity.jks -srcstoretype JKS -destkeystore demoidentity.p12 -deststoretype PKCS12
If I left off the seemingly redundant "-srcstoretype JKS", the generated demoidentity.p12 file gave me the same error when I tried to list the details in keytool even though the above command accepted the passwords and generated a file seemingly correctly!
For your issue, perhaps you did something similar when generating keystore.p12.
I had a similar issue when i was trying to export certs as pfx from JKS.It worked when i excluded deststorepass attribute in keytool command & gave the destination store password at runtime.
keytool -importkeystore -srckeystore Keystore.jks -destkeystore dv163.pfx -srcstoretype JKS -deststoretype PKCS12 -srcalias alias1-destalias alias1
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
来源:https://stackoverflow.com/questions/10338543/what-causes-keytool-error-failed-to-decrypt-safe-contents-entry