Forum Stats

  • 3,852,417 Users
  • 2,264,102 Discussions


Trouble using keystore in PKCS12 format

843811 Member Posts: 49,851 Green Ribbon
Has anyone had much luck using a Java keystore in PKCS12 format? I work at a company where we use this format to store SSL certificates. Unfortunately keytool doesn't seem to work well with it. I have a certificate chain in DER format, and I am trying to import the file into our keystore.

keytool -import -alias aliasname -file vChain.cer -keystore keystore.p12 -storetype pkcs12
Enter keystore password:
Trust this certificate? [no]: yes
keytool error: TrustedCertEntry not supported

Is it possible to import a DER or PEM certificate into a PKCS12 keystore? I have tried using openssl to convert the certificate into PKCS12 format before importing, but that doesn't work either, because it complains about not finding a private key.

Any help would be appreciated! Thanks.


  • 843811
    843811 Member Posts: 49,851 Green Ribbon
    OK, it looks like keytool does not support storing trusted certs in a pkcs12 keystore:

    The recommendation is to "Use JKS (or JCEKS) keystore for storing trusted certificates." However that is not an option in my situation. Does anyone have an idea for a workaround? Thanks.
  • 843811
    843811 Member Posts: 49,851 Green Ribbon
    I worked around the problem by adding the certificates to the JDK's cacerts file, instead of trying to add them to the PKCS12 keystore. It turns out that you cannot correctly add a trusted cert to a PKCS12 keystore. You can however have the JDK trust the certificates stored in its cacerts file, which do not require public/private key pairs.

    The cacerts file is located in $JAVA_HOME/jre/lib/security

    You can add certificates to it using keytool, for example:
    keytool -importcert -keystore cacerts -file certificate.cer -alias customername
This discussion has been closed.