Over a million developers have joined DZone.
{{announcement.body}}
{{announcement.title}}

JDK9 keytool Transitions Default Keystore to PKCS12

DZone's Guide to

JDK9 keytool Transitions Default Keystore to PKCS12

Among Java 9's many enhancements, the keytool utility has shifted to PKCS12. See what that means for your project's security and what problems remain.

· Java Zone
Free Resource

Build vs Buy a Data Quality Solution: Which is Best for You? Gain insights on a hybrid approach. Download white paper now!

When it comes to the JDK9 release, Project Jigsaw has garnered nearly all the attention, sucking the air out of the room and leaving very little oxygen for many other smaller, but interesting enhancements. One such feature addresses the universal quest to modernize overall security and involves an improvement to the keytool utility. For approximately two decades, Java and keytool had relied on the JDK-specific JKS keystore type as its default store. As specified by JEP 229, JDK9 transitions the default keystore to PKCS12.

This change means that any new keystores will be created in the PKCS12 format. It should, however, not affect existing applications that rely upon the original JKS keystore type. Backwards compatibility will be maintained, allowing existing applications to continue operating unmodified for the foreseeable future.

PKCS12 has a number of advantages:

  1. It is more extensible.
  2. It supports stronger cryptographic algorithms.
  3. It is widely adopted. PKCS12 is frequently the format provided by certificate authorities when issuing certificates.

With respect to point (3) above, as mentioned in this previous article, keytool has historically been unable to directly import PKCS12 generated trusted keys and certificates, and instead must rely on external workarounds like the following:

  • Use openssl to create a keystore containing the certificate chain and private key. Then use keytool to import this keystore into either a new or larger keystore.
  • Platforms like Oracle WebLogic contain a utils.ImportPrivateKey class (with a main method) that is included in weblogic.jar which can accomplish this task.

Unfortunately, this shortcoming still exists in JDK9. However, a request for enhancement has been recently been created and can be found here:

Perhaps enough folks can weigh in and vote, increasing its priority.

Build vs Buy a Data Quality Solution: Which is Best for You? Maintaining high quality data is essential for operational efficiency, meaningful analytics and good long-term customer relationships. But, when dealing with multiple sources of data, data quality becomes complex, so you need to know when you should build a custom data quality tools effort over canned solutions. Download our whitepaper for more insights into a hybrid approach.

Topics:
java ,java 9 ,keytool ,java security

Published at DZone with permission of Jim Connors. See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}