This content has been marked as final. Show 2 replies
OK, it looks like keytool does not support storing trusted certs in a pkcs12 keystore:
The recommendation is to "Use JKS (or JCEKS) keystore for storing trusted certificates." However that is not an option in my situation. Does anyone have an idea for a workaround? Thanks.
I worked around the problem by adding the certificates to the JDK's cacerts file, instead of trying to add them to the PKCS12 keystore. It turns out that you cannot correctly add a trusted cert to a PKCS12 keystore. You can however have the JDK trust the certificates stored in its cacerts file, which do not require public/private key pairs.
The cacerts file is located in $JAVA_HOME/jre/lib/security
You can add certificates to it using keytool, for example:
keytool -importcert -keystore cacerts -file certificate.cer -alias customername