Is there an invalid PKCS#12 password when generating with Ansible openssl_pkcs12 module? - Centos

pawanu
April 27, 2023
259 views
0 votes
2 Answers

I am trying to generate a PKCS12 file using Ansible openssl_pkcs12 module. I am successfully able to generate the certificate but when I am trying to import it to tlsKeyStore in my CentOS VM or open manually it always says invalid password. But the password is correct.

But if I generate the same PKCS12 certificate manually using openssl command from the same CentOS VM, I am able to import it to the tlsKeyStore and can open as well with the same password.

Below is the snippet of code:

- name: Generate PKCS#12 file
  openssl_pkcs12:
    action: export
    path: server_cert-ca.p12
    friendly_name: Test
    passphrase: xxxx
    privatekey_path: server-privatekey.pem
    certificate_path: server_cert.pem
    state: present
  loop: "{{ my_list }}"

Below is the Error while importing:

keytool -importkeystore -srckeystore server_cert-ca.p12 -srcstoretype pkcs12 -destkeystore tlsKeyStore -deststoretype jks
Importing keystore server_cert-ca.p12 to tlsKeyStore...
Enter destination keystore password:  
Re-enter new password: 
Enter source keystore password:  
keytool error: java.io.IOException: keystore password was incorrect

Could someone comment whether there is something wrong with this Ansible module?

Answers

Chosen as BEST ANSWER
- pawanu
- April 28, 2023 at 6:40 am
- 0 votes
0
Thanks for testing...Eventually I fixed the issue by reinstalling my ansible in a Virtual env and also I set the keytool env variable as below:
```
- name: Generate PKCS#12 file
  openssl_pkcs12:
    action: export
    path: server_cert-ca.p12
    friendly_name: Test
    passphrase: xxxx
    privatekey_path: server-privatekey.pem
    certificate_path: server_cert.pem
    state: present
  loop: "{{ my_list }}"
  args:
     executable: "/bin/keytool"
```

(Edit)

~/test$ pwd
/home/user/test

A minimal example playbook pkcs12.yaml

---
- hosts: localhost
  become: true
  gather_facts: true

  tasks:

  - name: Generate PKCS#12 file
    openssl_pkcs12:
      action: export
      path: "{{ ansible_nodename }}.p12"
      friendly_name: Test # alias
      passphrase: "P4ssw0rd" # of the P12 file
      privatekey_path: "/etc/pki/tls/private/{{ ansible_nodename }}.key"
      certificate_path: "/etc/pki/tls/certs/{{ ansible_nodename }}.pem"
      state: present

will result into a P12 file generated and further results

# Create JKS file
~/test$ sudo keytool -importkeystore -srckeystore $(hostname).p12 -srcstoretype pkcs12 -destkeystore tlsKeyStore -deststoretype jks
Importing keystore test.example.com.p12 to tlsKeyStore...
Enter destination keystore password: # of the JKS file
Re-enter new password: # of the JKS file
Enter source keystore password: # of the P12 file
Entry for alias test successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

# Check JKS file
~/test$ keytool -list -keystore tlsKeyStore
Enter keystore password: # of the JKS file
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

test, Apr 27, 2023, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 00:00:00 ...

To summarize, I am not able to reproduce an issue.

Please signup or login to give your own answer.

Click here to cancel reply.

Is there an invalid PKCS#12 password when generating with Ansible openssl_pkcs12 module? – Centos

Answers