keytool error: java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)

Asked 6/12, 2021 at 10:30 Answered 20/2 at 6:23

windows java-8 openssl ssl-certificate keytool

I am trying to generate keystore using keytool and getting below error -

D:\Java\bin>keytool -importkeystore -srckeystore cert1.p12 -srcstoretype pkcs12 -destkeystore cert1.keystore -deststoretype JKS
Enter destination keystore password:
Re-enter new password:
Enter source keystore password:
keytool error: java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)

Upas answered 6/12, 2021 at 10:30 Comment(6)

Dupe #51883824 #67766768 #69801451 #68829704 #68355741 – Vahe 6/12, 2021 at 13:32

In short: your PKCS12 uses a PBES2 cipher and Java versions below 8u301 or 11.0.1 don't correctly handle PBES2. Either use a newer version of Java, or (re)create the PKCS12 so that is doesn't use PBES2. – Vahe 6/12, 2021 at 13:33

When exporting the certificate with openssl, adding the -legacy parameter helps. – Mckamey 6/6, 2022 at 7:21

@Vahe How do you create the PKCS12 so that it doesn't use PBEs2 cipher? The project that I am working on unfortunately requires the use of an older Java 8. Thanks – Samella 3/8, 2022 at 20:32

@TravisWhitten: if you are creating with OpenSSL 3.0.x openssl pkcs12 -export ... then add -legacy as Klaws said; if you are creating with something else it depends what that something is and maybe how you use it e.g. options or environment. If you can't change the creation, you can re-create it (read the unusable version and write back a usable version) (perhaps on a different system if necessary) with OpenSSL or (reasonably recent) Windows, or maybe other things. – Vahe 4/8, 2022 at 3:47

I met the same error today. My case is, I use the same command (as I did 2 years ago) to generate new csr, then sign it, then export to p12, then import into the keystore and finally the exception happened. I thought it was the incorrect password firstly. My env is I installed latest OpenSSL v3.0.7 with Java 1.8, after I saw @Vahe 's suggestion, I turn to use OpenSSL v1.1.1 (download here slproweb.com/products/Win32OpenSSL.html) and retry and it works for me now. Thanks! – Galah 13/1, 2023 at 2:48

As @Klaws and @dave_thompson_085 suggested in the comments above, add the -legacy parameter to the openssl pkcs12 command:

openssl pkcs12 -inkey cert1.private.key -in cert1.public.crt -export -out cert1.p12 -legacy
keytool -importkeystore -srckeystore cert1.p12 -srcstoretype pkcs12 -destkeystore cert1.keystore -deststoretype JKS

Hartmann answered 3/4, 2023 at 16:2 Comment(0)

Updating the JDK will solve this issue.

Goad answered 29/3, 2023 at 9:14 Comment(1)

Never touch a running system! – Gelatinoid 7/2 at 9:48

If -legacy option in openssl3 doesn't work for any reason (my case. maybe because I use macos), simply install openssl1.1 and use that instead to generate p12 file.

For example in macos,

brew install [email protected]
/opt/homebrew/Cellar/[email protected]/1.1.1t/bin/openssl pkcs12 -inkey cert.pkey -in cert.pem -export -out cert.p12

Mayberry answered 26/4, 2023 at 14:42 Comment(1)

for me the -legacy switch worked on macOS Sonoma OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024). OpenSSL installed with brew. – Gelatinoid 7/2 at 9:47

Updating the JDK from 1.8 to 21 helped to resolve this issue.

Carnelian answered 16/2 at 18:42 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Carapace 20/2 at 22:50

I had to generate .p12 with OpenSSL and the exact JDK version in the deployment.

And it worked, I used a docker container to do this.

Afroamerican answered 20/2 at 6:23 Comment(0)

Recommended topics

Hot tags