Hi All,

For anyone trying to create a new cert with keytool following the instructions at https://www.xeams.com/new-cert-with-keytool.htm

Note that the latest keytool implementation (JDK 9) defaults keystores to pkcs12 and you need to change to a java using the additional option of {-storetype storetype} when first creating the keystore i.e. 

-storetype jks

If you have already created the keystore and need to convert use

keytool -importkeystore -srckeystore synametrics.pks -srcstoretype pkcs12 -destkeystore synametrics.cert -deststoretype jks -deststorepass [PASSWORD]

If you don't there will be a failure to start Xeams after the reboot. 

I hope this helps others that are having similar issues to me. 

Adrian,

Thank you very much for posting this tip. However, Xeams can accept both formats: JKS as well as PKCS12. Therefore, you have two choices:

• Convert the cert to JKS as you recommended above, OR
• Using Xeams web interface, specify the format as PKCS12. See image below.

Thanks Adrian!

After many many unfruitful hours of testing, trying, and chasing error logs, I was beginning to arrive at this same conclusion. Forcing the keystore to the JKS type solved my issues as well!

Synametrics support: I have not been successful in getting a PCKS12 keystore to work. Either by creating the keystore as a default PCKS12 type, or migrating a known good JKS keystore to PCKS12. The following error always occurs:

2021-10-17 10:36:03,994 ERROR http11.Http11Protocol - Failed to initialize end point associated with ProtocolHandler ["http-bio-443"]
java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
at sun.security.pkcs12.PKCS12KeyStore.parseAlgParameters(PKCS12KeyStore.java:792)

This is on build 6201, using the Synametrics VM package.

I'm not concerned at this point as the JKS keystore will work fine for my needs, despite being deprecated for security risks. It might be worth a look to see if your devs can reproduce the issue. I'd also suggest an enhancement to validate the new keystore and credentials in the UI when the user changes the cert keystore. This would save dozens of hours of frustrating application restarts.

Brian,

PKCS12 definitely works in Xeams. In fact, a certificate from Let's Encrypt uses PKCS12.

If you like, call our support department and we can help you get the PKCS12 cert working.

PKCS12-cert stopped working for me after a renewal from LE after 01/26/24.

I was for years converting to PKCS-keystore with

openssl pkcs12 -export -inkey /etc/letsencrypt/live/mydomain/privkey.pem -in /etc/letsencrypt/live/mydomain/fullchain.pem -out /opt/xeams/config/xeams.p12 -name xeams -password pass:mypassword

Not opening my https-port, no error in xeams.log though. It even positively stated that "port was brought online". I could not find any error in the logs.

Using the keytool for keystore import brang up the same issue. Had to convert back to JKS-format. Could it be the reason it stopped working with ECDSA-keys in the recent builds?

There is no need for you to run either openssl, or keytool when using Let's Encryption. Xeams will take care of these steps on its own. Using these tools to modify the cert will only make matters worse.

I recommend you watch a video https://www.xeams.com/video-letsencrypt.htm on creating a certificate and avoiding manually modifying the files.