Discussions
Categories
- 197.1K All Categories
- 2.5K Data
- 546 Big Data Appliance
- 1.9K Data Science
- 450.7K Databases
- 221.9K General Database Discussions
- 3.8K Java and JavaScript in the Database
- 31 Multilingual Engine
- 552 MySQL Community Space
- 479 NoSQL Database
- 7.9K Oracle Database Express Edition (XE)
- 3.1K ORDS, SODA & JSON in the Database
- 555 SQLcl
- 4K SQL Developer Data Modeler
- 187.2K SQL & PL/SQL
- 21.3K SQL Developer
- 296.3K Development
- 17 Developer Projects
- 139 Programming Languages
- 293K Development Tools
- 110 DevOps
- 3.1K QA/Testing
- 646.1K Java
- 28 Java Learning Subscription
- 37K Database Connectivity
- 158 Java Community Process
- 105 Java 25
- 22.1K Java APIs
- 138.2K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 19 Java Essentials
- 162 Java 8 Questions
- 86K Java Programming
- 81 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.3K Java SE
- 13.8K Java Security
- 204 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 466 LiveLabs
- 39 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.7K Other Languages
- 2.3K Chinese
- 175 Deutsche Oracle Community
- 1.1K Español
- 1.9K Japanese
- 233 Portuguese
Trouble using keystore in PKCS12 format

843811
Member Posts: 49,851
Has anyone had much luck using a Java keystore in PKCS12 format? I work at a company where we use this format to store SSL certificates. Unfortunately keytool doesn't seem to work well with it. I have a certificate chain in DER format, and I am trying to import the file into our keystore.
keytool -import -alias aliasname -file vChain.cer -keystore keystore.p12 -storetype pkcs12
Enter keystore password:
...snip...
Trust this certificate? [no]: yes
keytool error: java.security.KeyStoreException: TrustedCertEntry not supported
Is it possible to import a DER or PEM certificate into a PKCS12 keystore? I have tried using openssl to convert the certificate into PKCS12 format before importing, but that doesn't work either, because it complains about not finding a private key.
Any help would be appreciated! Thanks.
keytool -import -alias aliasname -file vChain.cer -keystore keystore.p12 -storetype pkcs12
Enter keystore password:
...snip...
Trust this certificate? [no]: yes
keytool error: java.security.KeyStoreException: TrustedCertEntry not supported
Is it possible to import a DER or PEM certificate into a PKCS12 keystore? I have tried using openssl to convert the certificate into PKCS12 format before importing, but that doesn't work either, because it complains about not finding a private key.
Any help would be appreciated! Thanks.
Comments
-
OK, it looks like keytool does not support storing trusted certs in a pkcs12 keystore:
http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html
The recommendation is to "Use JKS (or JCEKS) keystore for storing trusted certificates." However that is not an option in my situation. Does anyone have an idea for a workaround? Thanks. -
I worked around the problem by adding the certificates to the JDK's cacerts file, instead of trying to add them to the PKCS12 keystore. It turns out that you cannot correctly add a trusted cert to a PKCS12 keystore. You can however have the JDK trust the certificates stored in its cacerts file, which do not require public/private key pairs.
The cacerts file is located in $JAVA_HOME/jre/lib/security
You can add certificates to it using keytool, for example:
keytool -importcert -keystore cacerts -file certificate.cer -alias customername
This discussion has been closed.