22

I am trying to generate a pfx file to use as a signing mechanism for some JAR files as per these instructions.

To create the pfx file I am using the following command

openssl pkcs12 -export -in my-cert.crt -inkey my-priv-key.key -certfile my-ca-bundle -out my-pfx.pfx

This command successfully generates me a pfx file, however, when I try to find the alias using the following command

keytool -list -storetype pkcs12 -keystore my-pfx.pfx -v | grep Alias

I get the following response

Alias name: 2

According to the note linked above (and other research I have done) the Alias returned should look something like this

le-d491f28f-ee7b-40e2-b1a7-2b7c3a71979a

If I try to use the Alias value I am getting (e.g. 2) using the following command

jarsigner -keystore my-pfx.pfx -storetype PKCS12 jacob.jar 2

which results in the following error message

jarsigner: Certificate chain not found for: 2.  2 must reference a valid KeyStore key entry containing a private key and corresponding public key certificate chain.

I am totally stumped as to why I am not getting a correct alias.. Any helpful suggestions ?

Thanks

user3198232
  • 223
  • 1
  • 2
  • 4

1 Answers1

51

Try using option -name "alias" with command openssl pkcs12.

So, the full command may look like (the rest of options were taken from your question):

openssl pkcs12 -export -in my-cert.crt -inkey my-priv-key.key -certfile my-ca-bundle -out my-pfx.pfx -name "alias"
vond
  • 1,908
  • 17
  • 17
  • 1
    Could you explain what `-name` does in this context? According to the docs: `-name friendlyname` _specifies the "friendly name" for the certificate and private key. This name is typically displayed in list boxes by software importing the file._ But how does this change the alias in the p12 file? – not2savvy Feb 23 '21 at 14:24
  • if you still getting failure using this command on windows, recommend to change openssl to this version download here - https://itefix.net/openssl-tool – Teerakiat Chitawattanarat Aug 14 '21 at 05:28
  • 1
    @not2savvy After using `-name` argument, run your `keytool -list` command again. You will see the alias matches. Is this sufficient? – kevinarpe Sep 24 '21 at 12:49
  • 1
    @kevinarpe So does `-name` actually set both, the "friendly name" as well as the alias, or are these just two different terms for the same thing? – not2savvy Sep 25 '21 at 16:44
  • @not2savvy Excellent question. I assume they are the same. – kevinarpe Sep 27 '21 at 06:16