问题
I am trying to convert a standard PKCS #12 (.p12) key store into a Java JKS key store with this command:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks
It is failing with:
keytool error: java.io.IOException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded
Do you have any idea how to solve this problem?
回答1:
Sometimes this error is symptomatic of using an incorrect password for the p12 key.
回答2:
The pkcs12 keystore was corrupt indeed.
回答3:
I've never attempted to do this before, but I did find instructions on google here.
This thread asks a similar question.
EDIT (Based on comment)
Here is the full content of the linked reference:
PFX/P12 to JKS (Java KeyStore)
Question: How do I move a certificate from IIS / PFX (.p12 file) to a JKS (Java KeyStore)?
Answer: keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass PFX_P12_FILE -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass PASSWORD -destalias ALIAS_NAME
Note: To find the srcalias, list the contents of the PFX/P12 file:
keytool -v -list -storetype pkcs12 -keystore PFX_P12_FILE > FILENAME.TXT As this writes the output of the command to a file with the name of FILENAME.TXT.
回答4:
I had the same issue today(BadPaddingException). It seems keytool had a problem with certain characters in the password. I solved it by adding double-quotes around the password.
keytool -importkeystore -srckeystore PFX_P12_FILE_NAME -srcstoretype pkcs12 -srcstorepass "PFX_P12_FILE" -srcalias SOURCE_ALIAS -destkeystore KEYSTORE_FILE -deststoretype jks -deststorepass "PASSWORD" -destalias ALIAS_NAME
回答5:
I did this command (opposite to yours) to export a private key to PKCS12 from a JKS:
keytool -importkeystore -srckeystore DemoIdentity.jks -srcstoretype JKS -destkeystore demoidentity.p12 -deststoretype PKCS12
If I left off the seemingly redundant "-srcstoretype JKS", the generated demoidentity.p12 file gave me the same error when I tried to list the details in keytool even though the above command accepted the passwords and generated a file seemingly correctly!
For your issue, perhaps you did something similar when generating keystore.p12.
回答6:
I had a similar issue when i was trying to export certs as pfx from JKS.It worked when i excluded deststorepass attribute in keytool command & gave the destination store password at runtime.
keytool -importkeystore -srckeystore Keystore.jks -destkeystore dv163.pfx -srcstoretype JKS -deststoretype PKCS12 -srcalias alias1-destalias alias1
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
来源:https://stackoverflow.com/questions/10338543/what-causes-keytool-error-failed-to-decrypt-safe-contents-entry