keytool error: java.lang.Exception: Cannot derive signature algorithm" When Creating a Keystore with AES
When working with Java keystores (JKS or JCEKS), especially in environments like Oracle Utilities Application Framework (OUAF), creating keys correctly is critical for SSL and application integration. In this post, we cover a common error:
When we generate the keystore with the key tool, we get this error. This typically occurs when trying to generate a key pair with a symmetric algorithm like AES
, which is not designed for digital signatures.
Step 1
keytool -genkeypair -alias ouaf.system -keyalg AES -keystore /u02/app/oracle/product/OUAF/OMCCB/ouafkeystore.jks -keysize 128 -storetype JCEKS -dname "CN=omccb ,OU=Andavatit O=adavattecht,C=AE" -validity 365
Understanding the Root Cause
-genkeypair
is used for asymmetric keys (e.g., RSA), not symmetric keys like AES.
AES is a symmetric encryption algorithm and doesn’t support public/private key pairs or digital signatures.
Step 2
with the ASE we can't use the gen key pair as the
The genkey option is for generating a public key and associated private key, so it only works with asymmetric algorithms (AES is symmetric, so you can't use -genkey with it).
cissys @ omccb/home/cissys >cat ss.sh
keytool -genseckey -alias ouaf.system -keyalg AES -keystore /u02/app/oracle/product/OUAF/OMCCB/ouafkeystore.jks -keysize 128 -storetype JCEKS -dname "CN=omccb ,OU=OICIT O=<Companyname>,C=AE" -validity 365
cissys @ omccb.oasiserp.com/home/cissys >
cissys @ omccb.oasiserp.com/home/cissys >./ss.sh
Enter keystore password:
Re-enter new password:
Enter key password for <ouaf.system>
(RETURN if same as keystore password):
Re-enter new password:
Steps for Creating a Full Public Key Infrastructure (PKI)
Step 1: Generate an AES Secret Key (Symmetric Key)
$ ./root_cert.sh
Generating a 4096 bit RSA private key
.............................................................................................................................................................................................................++
..........................................++
writing new private key to 'cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:AE
State or Province Name (full name) [Some-State]:Dubai
Locality Name (eg, city) []:Dubai
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Company Name
Organizational Unit Name (eg, section) []:OICIT
Common Name (e.g. server FQDN or YOUR name) []:omccb.
Email Address []:palaneandavar@alshirawi.ae
==
Step 2: Create an RSA Public/Private Key Pair for SSL
keytool -genkey -alias omccb -keyalg RSA -keysize 4096 -sigalg SHA256withRSA -dname "CN=<domain name>,OU=OICIT,O=<company name> ,C=AE" -keypass OMccb123 -keystore omccb.jks -storepass <Password>
$
$ keytool -list -keystore omccb.jks -storepass <Password>
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
omccb, Jun 15, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): DD:F2:BE:B1:7F:EF:ED:68:D3:42:5C:77:7E:DF:E3:6A:CE:47:B8:DA
Step 3: Generate a CSR (Certificate Signing Request)
$ keytool -certreq -v -alias omccb -file omccb..csr -sigalg SHA256withRSA -keypass <keypass> -storepass <Storepass< -keystore omccb.jks
Certification request stored in file <omccb.csr>
Submit this to your CA
$
Step 4: Sign the CSR Using OpenSSL (as CA)
If you are acting as your own CA, sign the CSR:
You’ll be prompted for the CA’s Password.
$ openssl x509 -req -in omccb.csr -CA cacert.pem -CAkey cakey.pem -CAcreateserial -out omccb.cer
Signature ok
subject=/C=AE/O=OasisInvestmentC0mpany/OU=OICIT/CN=omccb.oasiserp.com
Getting CA Private Key
Enter pass phrase for cakey.pem:
$
Step 5: Import the CA Root Certificate into the Keystore
Before importing your signed certificate, you must trust the CA root:
$ keytool -import -v -noprompt -trustcacerts -alias rootcacert -file cacert.pem -keystore omccb.jks -storepass <Passowrd>
Certificate was added to keystore
[Storing omccb.jks]
Step 6: Import the Signed Certificate Back to the Keystore
Finally, import the signed certificate to complete the keystore:
$ keytool -import -v -alias omccb. -file omccb.cer -keystore omccb.jks -keypass OMccb123 -storepass
<storepass>
Certificate reply was installed in keystore
[Storing omccb.jks]
$