Server-side certificate - Different KeyStore and Private Key passwords

nhosko · October 23, 2020, 3:48am

Hi,

I’ve followed the instructions on HowTos, on how to configure server-side TLS with HiveMQ and Keytool (selfsigned).

Step 1 is to create a hivemq.jks file using keytool, with password “changeme”:

keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass changeme -validity 360 -keysize 2048

After entering my infos and confirm the correct entries with yes, a new file is created on my computer.

How can I make the following step?

Determine the password for the newly generated key (It is highly recommended to use another password for the key than the key store itself)

For the moment, I skipped this step and my config.xml has to look like this in order for ssl to work:

<keystore>
    <path>hivemq.jks</path>
    <password>changeme</password>
    <private-key-password>changeme</private-key-password>
</keystore>

How can I have 2 different passwords for the keystore and for the private key?

michael_w · October 23, 2020, 7:40am

Hi @nhosko,

Just replace the store password -storepass changeme with a password of your choice i.e. -storepass superSecurePassword.

Then the config would look like this:

<keystore>
    <path>hivemq.jks</path>
    <password>superSecurePassword</password>
    <private-key-password>superSecurePassword</private-key-password>
</keystore>

This is currently not possible with the default store type (aka PKCS12) that keytool generates. If you would add -keypass customKeyPassword to your command for setting a key password:
keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass changeme -validity 360 -keysize 2048 -keypass customKeyPassword

The keytool would generate
Warning: Different store and key passwords not supported for PKCS12 KeyStores.
and ignore the key password.

The workaround is to replace the PKCS12 with the JKS type as keystore type: -deststoretype JKS

Example:
keytool -genkey -keyalg RSA -alias hivemq -keystore hivemq.jks -storepass changeme -validity 360 -keysize 2048 -keypass customKeyPassword -deststoretype JKS

Now you have separate passwords for key and keystore. Then the config would look like this:

<keystore>
    <path>hivemq.jks</path>
    <password>superSecurePassword</password>
    <private-key-password>customKeyPassword</private-key-password>
</keystore>

Greetings,
Michael

Topic		Replies	Views
Not able to recover key from Keystore HiveMQ Community Edition	1	491	October 6, 2022
TLS certificates	20	12418	July 11, 2022
TLS not working HiveMQ Community Edition	5	857	November 16, 2022
Help regarding TLS configuration hivemq docker container HiveMQ Community Edition	1	1812	April 6, 2020
TLS setup without Keystore MQTT	3	843	November 2, 2022

Server-side certificate - Different KeyStore and Private Key passwords

Related Topics