Generating JKS using Keystore - Errors even on success

Tenatious · July 10, 2023, 5:50pm

I am using the post script example for creating a JKS but it always shows as error even when it has actually completed. It appears the PowerShell comments are being output as errors when they shouldn’t be. Am I missing something?

The .ps1 script being run:

param($result)  

keytool  -importkeystore -srckeystore $result.ManagedItem.CertificatePath -srcstoretype pkcs12 -destkeystore C:\Users\name\Documents\fsa-keystore.jks -deststoretype pkcs12 -deststorepass password -srcstorepass password

And the error log as you can see which is actually a success:

2023-07-10 18:49:06.498 +01:00 [INF] ---- Performing Task [On-Demand or Manual Execution] :: Create Javascript Keystore ----
2023-07-10 18:49:06.498 +01:00 [INF] Task [Create Javascript Keystore] :: Task will run for any status
2023-07-10 18:49:06.499 +01:00 [INF] Executing command via PowerShell
2023-07-10 18:49:07.698 +01:00 [ERR] Powershell Task Completed.Error: keytool.exe: Importing keystore C:\ProgramData\certify\assets\server.acropolis-aviation.com\20231008_f6bf4a34.pfx to C:\Users\name\Documents\fsa-keystore.jks...
At C:\Users\name\Documents\CreateJKS.ps1:5 char:1
+ keytool -importkeystore -srckeystore $result.ManagedItem.CertificateP ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error: keytool.exe: Entry for alias server.acropolis-aviation.com [certify] 7/10/2023 5:01:58 pm to 10/8/2023 5:01:57 pm successfully imported.
At C:\Users\name\Documents\CreateJKS.ps1:5 char:1
+ keytool -importkeystore -srckeystore $result.ManagedItem.CertificateP ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error: keytool.exe: Import command completed:  1 entries successfully imported, 0 entries failed or cancelled
At C:\Users\name\Documents\CreateJKS.ps1:5 char:1
+ keytool -importkeystore -srckeystore $result.ManagedItem.CertificateP ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

How can I stop this from happening so I get a success message?

webprofusion · July 11, 2023, 9:07am

Keytool (or java) seems to write to the error stream in Powershell which is a problem because we capture the error stream and assume they are real errors.

I did have some luck in my own testing by redirecting all output streams to null in powershell:

param($result)  

keytool  -importkeystore -srckeystore $result.ManagedItem.CertificatePath -srcstoretype pkcs12 -destkeystore C:\temp\certify\powershell\keytool-keystore3.jks -deststoretype pkcs12 -deststorepass testing -srcstorepass test *>&1

But this seems to suffer from a hang, probably waiting for a stream to close. So it kind of works but you’d have to wait for it to timeout before running it again.

Instead, I would suggest using an Export Certificate task to write the pfx out to a known file name then a “Run…” task to run a batch file with your keytool command to import that file into your key store.

webprofusion · July 19, 2023, 3:26am

As a follow up to this, the trick to not having keytool appear to hang is to use -noprompt, so the following script is fully working:

param($result)  

# requires keytool in the system path
keytool -noprompt -importkeystore -srckeystore $result.ManagedItem.CertificatePath -srcstoretype pkcs12 -destkeystore C:\temp\certify\powershell\keytool-keystore3.jks -deststoretype pkcs12 -deststorepass testing -srcstorepass test *>&1

We’ll probably make this into a built in deployment task at some point.