JDK9 keytool Transitions Default Keystore to PKCS12
By Jim Connors 24-Oct-2017
When it comes to the JDK9 release, project jigsaw
garners nearly all the attention, sucking the air out of the room
and leaving very little oxygen for many other smaller but
interesting enhancements. One such feature addresses the universal
quest to modernize overall security and involves an improvement to
the keytool
utility. For approximately two decades, Java and keytool had relied
on the JDK-specific JKS keystore type as its default store. As
specified by JEP 229,
JDK9 transitions the default keystore to PKCS12.
This change means that any new keystores will be created in the
PKCS12 format. It should however not affect existing
applications that rely upon the original JKS keystore type.
Backwards compatibility will be maintained allowing existing
applications to continue operating unmodified for the foreseeable
future.
PKCS12 has a number of advantages:
- It is more extensible
- It supports stronger cryptographic algorithms
- It is widely adopted. PKCS12 is frequently the format
provided by certificate authorities when issuing certificates.
With respect to point (3) above, as mentioned
in this previous article, keytool has historically been
unable to directly import PKCS12 generated trusted keys and
certificates, and instead must rely on external workarounds like
the following:
- Use openssl to create a keystore containing the certificate
chain and private key. Then use keytool to import this keystore
into either a new or larger keystore..
- Platforms like Oracle WebLogic contain a
utils.ImportPrivateKey class (with a main method) that is
included in weblogic.jar which can accomplish this task
Unfortunately this shortcoming still exists in JDK9.
However a request for enhancement has been recently been created
and can be found here:
keytool should be able to import
private keys: https://bugs.openjdk.java.net/browse/JDK-8189321
Perhaps enough folks can weigh in and vote, increasing its
priority.