I am trying to update a keystore with a renewed SSL certificate that I downloaded from my Ionos webhost.
I downloaded the PFX file after inputing my private key and password into their PFX creation tool and checked an option to "include intermediate certificates" (this is what I have always done in the past).
When I ran keytool to update the keystore this is the command I used:
keytool -importkeystore -srckeystore example.com_private_key.pfx -srcstoretype pkcs12 -destkeystore mykeystore.jks -deststoretype JKS
It asks me to enter some passwords and then asks me if I wanted to override the alias. After entering "yes" it gave me the "Invalid null input" error.
I also tried creating a new keystore instead of updating the old one and after entering the passwords I received the same error.
I still have my old PFX file from last year and keytool doesn't give the error when creating a keystore with that.
I also tried reissuing the private key and redownloading the PFX with and without the intermediate certificate option but got the same error.
I don't know where to even start to find out how to overcome this issue. My only assumption is that there is something wrong with the new PFX file but don't know how I can verify it or troubleshoot.
Any suggestions?
EDIT:
I decided to run keytool -list on the PFX file and this was the output
>keytool -list -v -keystore example.com_private_key.pfx
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: *.example.com
Creation date: 22-Mar-2023
Entry type: PrivateKeyEntry
*******************************************
*******************************************
Usually this gives a big list of things but this seems empty.
Following the advice from @dave_thompson_085 I was able to solve this issue.
The Invalid null input error from keytool was being caused by the fact that the PFX file was missing a friendlyName and localKeyID in its Bag Attributes property. Instead of the proper values the Bag Attributes were set to a value of <Empty Attributes>.
You can check this by using OpenSSL to get the info from the bad PFX file.
Run:
openssl pkcs12 -info -nokeys -in "C:\example.com_private_key.pfx"
You will get an output that looks like this:
MAC Iteration 1024
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Bag Attributes: <Empty Attributes>
subject=/CN=*.example.com
issuer=/C=US/O=Example CA/OU=www.exampleca.com/CN=Example CA
-----BEGIN CERTIFICATE-----
MIICwDCCAmagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBtjELMAkGA1UEBhMCVVMx
...
...
zYnRrIjp7ImFjdGlvbiI6IlJPTEVfQ09NUExFVEVEIiwicmVwb3NpdG9yeSI6Imh
0dHA6024Ly9leGFtcGxlLmNvbSJ9fSwidGltZXN0YW1wIjoxNTcxMTQxMjg0fQ==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes: <Empty Attributes>
subject=/C=US/O=Example CA/OU=www.exampleca.com/CN=Example CA
issuer=/C=US/O=Example CA/OU=www.exampleca.com/CN=Example CA Root
-----BEGIN CERTIFICATE-----
MIICwDCCAmagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzET
...
...
Qnl0ZXMgYW5kIEhhY2thdGhvbi9yZWFsIENBIHRlc3QgaW5zdGFuY2Ugc3lzLg==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
You will see that Bag Attributes has a value of <Empty Attributes> for both certificates.
To fix this I manually created a new PFX file using OpenSSL.
First, obtain the following files from your SSL provider:
example.com_private_key.key)example.com_ssl_certificate.cer)example.com_ssl_certificate_INTERMEDIATE.cer)Then use OpenSSL to create your new PFX file by running the following command:
openssl pkcs12 -export -out "C:\example.com_private_key_fixed.pfx" -name "*.example.com" -inkey "C:\example.com_private_key.key" -in "C:\example.com_ssl_certificate.cer" -certfile "C:\example.com_ssl_certificate_INTERMEDIATE.cer" -caname "Example Certificate Authority Friendly Name"
Replace the properties with your appropriate file paths and friendlyName values.
According to Dave the friendlyName properties aren't needed but I included them because they were in my last working PFX file.
You can use OpenSSL to verify that the Bag Attributes have been set correctly.
Run:
openssl pkcs12 -info -nokeys -in "C:\example.com_private_key_fixed.pfx"
You will get an output that looks like this:
MAC Iteration 1024
MAC verified OK
PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 1024
Certificate bag
Bag Attributes:
localKeyID: 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10
friendlyName: *.example.com
subject=/CN=*.example.com
issuer=/C=US/O=Example CA/OU=www.exampleca.com/CN=Example CA
-----BEGIN CERTIFICATE-----
MIICwDCCAmagAwIBAgIBATANBgkqhkiG9w0BAQUFADCBtjELMAkGA1UEBhMCVVMx
...
...
zYnRrIjp7ImFjdGlvbiI6IlJPTEVfQ09NUExFVEVEIiwicmVwb3NpdG9yeSI6Imh
0dHA6024Ly9leGFtcGxlLmNvbSJ9fSwidGltZXN0YW1wIjoxNTcxMTQxMjg0fQ==
-----END CERTIFICATE-----
Certificate bag
Bag Attributes:
friendlyName: Example Certificate Authority Friendly Name
subject=/C=US/O=Example CA/OU=www.exampleca.com/CN=Example CA
issuer=/C=US/O=Example CA/OU=www.exampleca.com/CN=Example CA Root
-----BEGIN CERTIFICATE-----
MIICwDCCAmagAwIBAgIBATANBgkqhkiG9w0BAQUFADA7MQswCQYDVQQGEwJVUzET
...
...
Qnl0ZXMgYW5kIEhhY2thdGhvbi9yZWFsIENBIHRlc3QgaW5zdGFuY2Ugc3lzLg==
-----END CERTIFICATE-----
PKCS7 Data
Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 1024
You will see that Bag Attributes is now correctly set. The PFX file should also now be able to be imported with keytool without getting the `Invalid null input" error.
I don't know if this matters, but the friendlyName of my Intermediate Certificate in the last working PFX file that I downloaded from my web host was the exact same as the Intermediate Certificate's subject property, but with the slashes replaced by commas and the order reversed.
So
`subject=/C=US/O=Example CA/OU=www.exampleca.com/CN=Example CA`
would become:
`-caname "CN=Example CA,OU=www.exampleca.com,O=Example CA,C=US"`
when inputting the Certificate Authority's friendlyName.
Again the friendlyName might not matter, but I thought it was worth mentioning since it was something I noticed while looking at my older working PFX files that had been generated by my web host.
Big thanks to @dave_thompson_085 once more! Just had to renew my SSL Certificates for the year, but my web host still hasn't sorted out their PFX file issue. Had to DIY it with OpenSSL again. Cheers for the help!