2 Replies Latest reply on Sep 24, 2008 11:39 PM by 843811

    Trouble using keystore in PKCS12 format

    843811
      Has anyone had much luck using a Java keystore in PKCS12 format? I work at a company where we use this format to store SSL certificates. Unfortunately keytool doesn't seem to work well with it. I have a certificate chain in DER format, and I am trying to import the file into our keystore.

      keytool -import -alias aliasname -file vChain.cer -keystore keystore.p12 -storetype pkcs12
      Enter keystore password:
      ...snip...
      Trust this certificate? [no]: yes
      keytool error: java.security.KeyStoreException: TrustedCertEntry not supported

      Is it possible to import a DER or PEM certificate into a PKCS12 keystore? I have tried using openssl to convert the certificate into PKCS12 format before importing, but that doesn't work either, because it complains about not finding a private key.

      Any help would be appreciated! Thanks.
        • 1. Re: Trouble using keystore in PKCS12 format
          843811
          OK, it looks like keytool does not support storing trusted certs in a pkcs12 keystore:

          http://java.sun.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html

          The recommendation is to "Use JKS (or JCEKS) keystore for storing trusted certificates." However that is not an option in my situation. Does anyone have an idea for a workaround? Thanks.
          • 2. Re: Trouble using keystore in PKCS12 format
            843811
            I worked around the problem by adding the certificates to the JDK's cacerts file, instead of trying to add them to the PKCS12 keystore. It turns out that you cannot correctly add a trusted cert to a PKCS12 keystore. You can however have the JDK trust the certificates stored in its cacerts file, which do not require public/private key pairs.

            The cacerts file is located in $JAVA_HOME/jre/lib/security

            You can add certificates to it using keytool, for example:
            keytool -importcert -keystore cacerts -file certificate.cer -alias customername