PKI Certificate Tutorials - Herong's Tutorial Examples - v1.10, by Herong Yang
"keytool -storetype pkcs12" - Limitations and Errors
This section provides tutorial examples showing limitations and errors of the 'keytool -storetype pkcs12' command.
The following examples show you some limitations and errors of the "keytool -storetype pkcs12" command.
1. "keytool -genkeypair" command requires that the bundle (store) encryption password must match the private key encryption password in the bundle.
herong$ keytool -genkeypair -keyalg ec -keypass KeySecret \ -keystore bundle-jdk-2.p12 -storetype pkcs12 -storepass TopSecret Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value. What is your first and last name? [Unknown]: Herong Yang ...
2. "keytool -list" command is able to open PKCS12 bundles created by "openssl pkcs12" commands.
herong$ keytool -list -keystore hy-cert-bundle.p12 \ -storepass TopSecret Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry 1, Nov 24, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): C4:85:30:D1:65:F1:BD:23:A9:3C:...
3. "keytool -list" command is only able to read a single certificate (the one that matches the key pair) from a PKCS12 bundle created by "openssl pkcs12" commands.
herong$ keytool -list -keystore hy-cert-bundle-2.p12 \ -storetype pkcs12 -storepass TopSecret Keystore type: PKCS12 Keystore provider: SunJSSE Your keystore contains 1 entry 1, Nov 24, 2024, PrivateKeyEntry, Certificate fingerprint (SHA-256): 1E:EF:09:87:32:43:F8:40:43:... # But the bundle contains 3 certificates herong$ openssl pkcs12 -info -in hy-cert-bundle-2.p12 \ -passin pass:TopSecret -noout MAC Iteration 2048 MAC verified OK PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048 Certificate bag Certificate bag Certificate bag PKCS7 Data Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048
Conclusion: "keytool" and "openssl" both can create PKCS12 bundle files. But they use different inner structures to store additional certificates. So they are compatible if and only if they store only a single certificate and its matching key pair. The bundle encryption password must also match the key pair encryption password.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of PKI Certificate
OpenSSL - Cryptography Toolkit
"openssl ca" - CA (Certificate Authority) Tool
Java "keytool" Commands and KeyStore Files
►PKCS12 Certificate Bundle File
"openssl pkcs12 -export" - Certificate and Key Bundle
"openssl pkcs12 -export" - Certificate Chain and Key Bundle
"openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle
"openssl pkcs12 -export" - Limitations and Errors
"keytool -genkeypair" - Certificate and Key Bundle
"keytool -importcert" - Certificate-Only Bundle
►"keytool -storetype pkcs12" - Limitations and Errors
ASN.1 Data Structure of PKCS13 File