"keytool -storetype pkcs12" - Limitations and Errors

This section provides tutorial examples showing limitations and errors of the 'keytool -storetype pkcs12' command.

The following examples show you some limitations and errors of the "keytool -storetype pkcs12" command.

1. "keytool -genkeypair" command requires that the bundle (store) encryption password must match the private key encryption password in the bundle.

herong$ keytool -genkeypair -keyalg ec -keypass KeySecret \
  -keystore bundle-jdk-2.p12 -storetype pkcs12 -storepass TopSecret

Warning:  Different store and key passwords not supported 
  for PKCS12 KeyStores. Ignoring user-specified -keypass value.

What is your first and last name?
  [Unknown]:  Herong Yang
...

2. "keytool -list" command is able to open PKCS12 bundles created by "openssl pkcs12" commands.

herong$ keytool -list -keystore hy-cert-bundle.p12 \
  -storepass TopSecret

Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry

1, Nov 24, 2024, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): C4:85:30:D1:65:F1:BD:23:A9:3C:...

3. "keytool -list" command is only able to read a single certificate (the one that matches the key pair) from a PKCS12 bundle created by "openssl pkcs12" commands.

herong$ keytool -list -keystore hy-cert-bundle-2.p12 \
  -storetype pkcs12 -storepass TopSecret

  Keystore type: PKCS12
  Keystore provider: SunJSSE
  Your keystore contains 1 entry

  1, Nov 24, 2024, PrivateKeyEntry, 
  Certificate fingerprint (SHA-256): 1E:EF:09:87:32:43:F8:40:43:...

# But the bundle contains 3 certificates
herong$ openssl pkcs12 -info -in hy-cert-bundle-2.p12 \
  -passin pass:TopSecret -noout

  MAC Iteration 2048
  MAC verified OK
  PKCS7 Encrypted data: pbeWithSHA1And40BitRC2-CBC, Iteration 2048
  Certificate bag
  Certificate bag
  Certificate bag
  PKCS7 Data
  Shrouded Keybag: pbeWithSHA1And3-KeyTripleDES-CBC, Iteration 2048

Conclusion: "keytool" and "openssl" both can create PKCS12 bundle files. But they use different inner structures to store additional certificates. So they are compatible if and only if they store only a single certificate and its matching key pair. The bundle encryption password must also match the key pair encryption password.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of PKI Certificate

 PKI Certificate File Formats

 OpenSSL - Cryptography Toolkit

 "openssl ca" - CA (Certificate Authority) Tool

 Java "keytool" Commands and KeyStore Files

 PKI Certificate Store

PKCS12 Certificate Bundle File

 What Is PKCS12 File Format

 "openssl pkcs12 -export" - Certificate and Key Bundle

 "openssl pkcs12 -export" - Certificate Chain and Key Bundle

 "openssl pkcs12 -export" - 3-Level Certificate Chain and Key Bundle

 "openssl pkcs12 -export" - Limitations and Errors

 "keytool -genkeypair" - Certificate and Key Bundle

 "keytool -importcert" - Certificate-Only Bundle

"keytool -storetype pkcs12" - Limitations and Errors

 ASN.1 Data Structure of PKCS13 File

 PKCS7 Certificate Chain File

 PKI Certificate Related Terminology

 References

 Full Version in PDF/EPUB