Cryptographic Error: Trusted Certificate Entries are Not Password-protected Keytool

Posted on by Jordansphere

Problem

When replacing the certificates on a vCloud Director 9.5 installation, I ran the configure command and the following error occurred.

cryptographic error: trusted certificate entries are not password-protected keytool

Troubleshooting

Upon investigation of the keystore file it appeared that the entry type was trustedCertEntry

keytool -storetype JCEKS -list -v -keystore certs.ks

<snip>
Alias name: http
Creation date: 29 Oct 2019
Entry type: trustedCertEntry
</snip>

Resolution

Unfortunately it appears the certificates were added incorrectly. The Entry type should be PrivateKeyEntry rather than trustedCertEntry

1) Remove certificates from keystore

keytool -storetype JCEKS -keystore erts.ks -delete -alias consoleproxy
keytool -storetype JCEKS -keystore certs.ks -delete -alias http

2) Re-add certificates to keystore

keytool -importkeystore -srckeystore http.pfx -srcstoretype PKCS12 -destkeystore certs.ks -deststoretype JCEKS -srcalias http -destalias http
keytool -importkeystore -srckeystore consoleproxy.pfx -srcstoretype PKCS12 -destkeystore certs.ks -deststoretype JCEKS -srcalias consoleproxy -destalias consoleproxy

3) Check keystore:

keytool -storetype JCEKS -list -v -keystore certs.ks

Output should now be:

<snip>
Alias name: http
Creation date: 11 Nov 2019
Entry type: PrivateKeyEntry
</snip>