Geek Answers Handbook

Why am I getting the "Can not store non-PrivateKeys" error message when creating an SSL socket in Java?

I am working on older IBM iSeries (IBM-i, i5OS, AS / 400, etc.), with Java 5 JVM (Classic, not ITJ J9) on O / S version V5R3M0.

Here is the script in a nutshell:

  • I created a JKS type keystore using Portecle 1.7 (Note. I tried to convert my key store to JCEKS, but it was rejected as an unsupported format, so it seems that JKS is the only option with the iSeries machine (at least the version on which I'm on).
  • Then I created a key pair and CSR and sent the CSR to Thawte for signing.
  • I imported a signed certificate from Thawte using PKCS # 7 format to import the entire certificate chain, including my certificate, Thawte broker, and Thawte server root.

Everything worked as expected.

However, when I ran into the JVM, I configured it correctly to point to the store and provide its password (which I did in the past with self-signed certificates created in Portecle for testing) and try to start my web server on 443, I received the following security exception:

java.security.KeyStoreException: Cannot store non-PrivateKeys

Can someone tell me where I was wrong, or what should I check next?

+5
source share
3 answers

SSLContext.

SSLContext X509KeyManager , KeyManagerFactory. X509KeyManager, chooseServerAlias(String keyType, Principal[] issuers, Socket socket) , .

, , , (, , ), , PKCS # 11.

+3

" -PrivateKeys" , JKS. JKS (/) . JCEKS .

+28

, , , - - .

TL;DR , , , . .

, - SSL, , , IP- -, DNS-, , - , -, SSL SSL factory, :

// CREATE EPHEMERAL KEYSTORE FOR THIS SOCKET USING THE DESIRED CERTIFICATE
try {
    final char[]      BLANK_PWD=new char[0];
    SSLContext        ctx=SSLContext.getInstance("TLS");
    KeyManagerFactory kmf=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    Key               ctfkey=mstkst.getKey(svrctfals,BLANK_PWD);
    Certificate[]     ctfchn=mstkst.getCertificateChain(svrctfals);
    KeyStore          sktkst;

    sktkst=KeyStore.getInstance("jks");
    sktkst.load(null,BLANK_PWD);
    sktkst.setKeyEntry(svrctfals,ctfkey,BLANK_PWD,ctfchn);
    kmf.init(sktkst,BLANK_PWD);
    ctx.init(kmf.getKeyManagers(),null,null);
    ssf=ctx.getServerSocketFactory();
    }
catch(java.security.GeneralSecurityException thr) {
    throw new IOException("Cannot create server socket factory using ephemeral keystore ("+thr+")",thr);
    }

, . - keytool, ( , ).

, , null sktkst.setKeyEntry(svrctfals,ctfkey,BLANK_PWD,ctfchn); setKeyEntry Key instanceof (), null instanceof PrivateKey, , .

:

// CREATE EPHEMERAL KEYSTORE FOR THIS SOCKET USING THE DESIRED CERTIFICATE
try {
    final char[]      BLANK_PWD=new char[0];
    SSLContext        ctx=SSLContext.getInstance("TLS");
    KeyManagerFactory kmf=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    Key               ctfkey=mstkst.getKey(svrctfals,BLANK_PWD);
    Certificate[]     ctfchn=mstkst.getCertificateChain(svrctfals);
    KeyStore          sktkst;

    if(ctfkey==null) {
        throw new IOException("Cannot create server socket factory: No key found for alias '"+svrctfals+"'");
        }
    if(ctfchn==null || ctfchn.length==0) {
        throw new IOException("Cannot create server socket factory: No certificate found for alias '"+svrctfals+"'");
        }

    sktkst=KeyStore.getInstance("jks");
    sktkst.load(null,BLANK_PWD);
    sktkst.setKeyEntry(svrctfals,ctfkey,BLANK_PWD,ctfchn);
    kmf.init(sktkst,BLANK_PWD);
    ctx.init(kmf.getKeyManagers(),null,null);
    ssf=ctx.getServerSocketFactory();
    }
catch(java.security.GeneralSecurityException thr) {
    throw new IOException("Cannot create server socket factory using ephemeral keystore ("+thr+")",thr);
    }
+3

More articles:


All Articles