IBM Support

Troubleshooting: Unable to open PKCS12 keystores due to an UnrecoverableKeyException

Troubleshooting


Problem

During startup of the WebSphere Application Server or WebSphere Liberty a failure occurs and startup is aborted; or performing management operations on a PKCS12 keystore an error occurs preventing the keystore operation.  An error that indicates a failure to load a keystore is recorded in the logs.
 
Additionally, attempts to roll back to a previous SDK version do not resolve the problem. 
 

Symptom

In the log files on the affected server, or during keystore management operations, you might observe any number of messages and thread stacks related to failing to load or manage a PKCS12 keystore:
 
  • com.ibm.security.pkcsutil.PKCSException: Error extracting SafeBags from PFX (java.io.IOException: java.lang.reflect.InvocationTargetException)
  • Error in loading the keystore: DerValue.getOctetString, not an Octet String: 48.
  • java.io.IOException: Error extracting keyentry aliases from PFX
  • java.io.IOException: Integrity check failed: java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
  • java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
  • java.security.UnrecoverableKeyException: Failed PKCS12 integrity checking
  • Key store file <FILE_NAME> did not verify, make sure the file or keyring exists, check key store type and password.
    • This specific message can also be due to an incorrect password, recommend verifying the password used for the keystore first.
  • Private key not stored as PKCS#8 EncryptedPrivateKeyInfo
 
The errors can be embedded in other exceptions:
  • CWPKI0061E: Error while initializing keymanager for the NodeDefaultSSLSettings SSLContext. The NodeDefaultKeyStore keystore at /opt/IBM/WebSphere/AppServer/profiles/myServer/config/cells/myCell/nodes/myNode/key.p12 might have a personal certificate with a password that is different from the keystore password. The extended error message is as follows: Private key not stored as PKCS#8 EncryptedPrivateKeyInfo: java.io.IOException: ObjectIdentifier() -- data isn't an object ID (tag = 48)
 
The errors displayed in the admin console during a keystore management operation (including deletion, importing, exporting, receiving from a certificate authority, or renewing a certificate):
  • If the keystore itself was initially created that uses the stronger algorithms, the operation fails with this error:
Error: An error occurred deleting <CERTIFICATE NAME>: CWPKI0033E: The keystore located at "/opt/IBM/WebSphere/AppServer/profiles/AppSrv01/wstemp/-1288659335/workspace/cells/<<REDACTED>>Cell01/nodes/<<REDACTED>>Node01/deleted.p12" failed to load due to the following error: Error extracting keyentry aliases from PFX.
  • If the keystore was initially created with the weaker algorithms (but some certificates are using the stronger algorithms), the operation fails with this error:
An error occurred deleting <<CERTIFICATE NAME>>: Private key not stored as PKCS#8 EncryptedPrivateKeyInfoObjectIdentifier() - data isn't an object ID (tag = 48)
  • During a certificate import (or export), if the keystore is using the weaker algorithms, you might see a generic error reported if the keystore exists.
    This error can normally be seen if the password is entered incorrectly (the operation does this check after pressing OK or Apply).  Recommend verifying the password as a first step if you see this specific error message before proceeding.
CWPKI0663E: Key store file key.p12 did not verify, make sure the file or keyring exists, check key store type and password.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"ARM Category":[{"code":"a8m50000000CdL1AAK","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - Certificates"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"ARM Category":[{"code":"a8m3p000000F7yQAAS","label":"IBM WebSphere Liberty-All Platforms-\u003ELiberty Security-\u003ELiberty - SSL"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"},{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSAW57","label":"WebSphere Application Server Network Deployment"},"ARM Category":[{"code":"a8m50000000CdL1AAK","label":"WebSphere Application Server traditional-All Platforms-\u003ESecurity-\u003ESSL-\u003ESSL - Certificates"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
04 November 2025

UID

ibm16966722

Page Feedback