Export to .pkcs12 | keystore password incorrect

When I try to verify the password for my exported.pkcs12, I get: keytool error: java.io.IOException: keystore password was incorrect. I was under the impression that the Certbot *.pem do not have a password. Am I wrong?

My domain is: myserver.mygroup.mytoplvldomain.de

I ran this command:
PS C:\WINDOWS\system32> certbot certonly --standalone

It produced this output:
Saving debug log to C:\Certbot\log\letsencrypt.log
Please enter the domain name(s) you would like on your certificate (comma and/or
space separated) (Enter 'c' to cancel): myserver.mygroup.mytoplvldomain.de [www.myserver.mygroup.mytoplvldomain.de]...
Requesting a certificate for myserver.mygroup.mytoplvldomain.de and 4 more domains

Successfully received certificate.
Certificate is saved at: C:\Certbot\live\myserver.mygroup.mytoplvldomain.de\fullchain.pem
Key is saved at: C:\Certbot\live\myserver.mygroup.mytoplvldomain.de\privkey.pem
This certificate expires on 2024-06-03.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

I ran this command:
C:\Certbot\live\myserver.mygroup.mytoplvldomain.de>openssl
OpenSSL> pkcs12 -export -out .\exported.pkcs12 -inkey .\privkey.pem -in .\fullchain.pem -name MyServer

It produced this output: - (but created ./exported.pkcs12)

I ran this command:
PS C:\Certbot\live\myserver.mygroup.mytoplvldomain.de> keytool -keypasswd -keystore exported.pkcs12 -alias MyServer -storepass STOREPASS

It produced this output:
keytool error: java.io.IOException: keystore password was incorrect

My web server is (include version): Apache

The operating system my web server runs on is (include version): Windows Server 2019

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

@certbot-user , welcome to the community!

The original key .\privkey.pem created by certbot is unencrypted. So likely you should not supply key password for keytool. I do not know how to achieve that since I am not familiar with keytool.

I did simmilar thing:

# openssl
OpenSSL> pkcs12 -export -out 1.pfx -inkey 1.key -in 1.pem -name MyServer
Enter Export Password:
Verifying - Enter Export Password:
OpenSSL>
OpenSSL> exit
#

Did openssl pkcs12 ask for password from you, too? If yes, then it is likely the same you have to provide for keytool as -storepass.

Indeed, openssl prompts me for an Export Password.

If I follow your command like this

C:\Certbot\live\mydomain.de>openssl
OpenSSL> pkcs12 -export -out .\exported.pfx -inkey .\privkey.pem -in .\fullchain.pem -name MyServer
Enter Export Password:
Verifying - Enter Export Password:
OpenSSL>

Imagine that I chose a single digit export PW of "1", Windows PowerShell tells me
PS C:\Certbot\live\mydomain.de> keytool -keypasswd -keystore ./exported.pfx -alias MyServer -storepass 1
keytool error: java.lang.Exception: Keystore file does not exist: ./exported.pfx

Repeating this procedure with .pkcs12 instead of .pfx format:

OpenSSL> pkcs12 -export -out .\exported.pkcs12 -inkey .\privkey.pem -in .\fullchain.pem -name MyServer
Enter Export Password:
Verifying - Enter Export Password:
OpenSSL>

Windows PowerShell gives

PS C:\Certbot\live\mydomain.de> keytool -keypasswd -keystore ./exported.pkcs12 -alias MyServer -storepass 1
Enter key password for <MyServer>
keytool error: java.security.UnrecoverableKeyException: Get Key failed: EC KeyFactory not available

I don't use these tools myself but could your problem be that one uses backslash and the other a forward slash in front of exported.pfx ?

Also, is this a new setup? Because the EFF has dropped support for Windows for their Certbot client. An ACME Client designed for Windows probably would be easier anyway. See the EFF announcement. The Certify The Web client is probably the easiest to use.

The certbot defaults now to create EC key instead of RSA. If you cannot supplement the keytool to support EC keys, then still there is a way to tell certbot via the appropriate flag to generate RSA key.

The slashes are due to me being too lazy to alway type \ on Windows: CMD prompt does not understand /, however PowerShell does understand /.

Also, is this a new setup? Because the EFF has dropped support for Windows for their Certbot client. An ACME Client designed for Windows probably would be easier anyway. See the EFF announcement. The Certify The Web client is probably the easiest to use.

Thank you for the heads-up. This is a new setup and we should follow your advice.

running certbot --standalone --key-type rsa -v, then exporting to .pkcs12 with OpenSSL and finally checking with keytool -keypasswd -keystore .\exported.pkcs12 -alias MyServer -storepass PASSKEY ran without errors. Thanks a lot.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.