Trouble using keystore in PKCS12 format

843811

Has anyone had much luck using a Java keystore in PKCS12 format? I work at a company where we use this format to store SSL certificates. Unfortunately keytool doesn't seem to work well with it. I have a certificate chain in DER format, and I am trying to import the file into our keystore.

keytool -import -alias aliasname -file vChain.cer -keystore keystore.p12 -storetype pkcs12
Enter keystore password:
...snip...
Trust this certificate? [no]: yes
keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

Is it possible to import a DER or PEM certificate into a PKCS12 keystore? I have tried using openssl to convert the certificate into PKCS12 format before importing, but that doesn't work either, because it complains about not finding a private key.

Any help would be appreciated! Thanks.

843811

OK, it looks like keytool does not support storing trusted certs in a pkcs12 keystore:

http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

The recommendation is to "Use JKS (or JCEKS) keystore for storing trusted certificates." However that is not an option in my situation. Does anyone have an idea for a workaround? Thanks.

843811

I worked around the problem by adding the certificates to the JDK's cacerts file, instead of trying to add them to the PKCS12 keystore. It turns out that you cannot correctly add a trusted cert to a PKCS12 keystore. You can however have the JDK trust the certificates stored in its cacerts file, which do not require public/private key pairs.

The cacerts file is located in $JAVA_HOME/jre/lib/security

You can add certificates to it using keytool, for example:
keytool -importcert -keystore cacerts -file certificate.cer -alias customername