Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12”.
Symptoms
root@5ce8824165f4:/tmp# java -version
java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)
root@5ce8824165f4:/tmp# keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB"
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
root@5ce8824165f4:/tmp# keytool -list -keystore test.keystore -storepass mystorepass
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1): 1B:A0:9B:93:F5:77:C7:4B:BA:F7:6A:30:47:03:A6:29:30:23:94:72
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
jdk8
docker run -it --rm openjdk:8-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "1.8.0_275"
OpenJDK Runtime Environment (build 1.8.0_275-b01)
OpenJDK 64-Bit Server VM (build 25.275-b01, mixed mode)
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
Keystore type: jks
Keystore provider: SUN
Your keystore contains 1 entry
test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1): 70:FA:FB:D2:36:AB:9C:45:63:29:89:EA:6A:6A:B9:73:23:B6:64:2F
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
jdk9
docker run -it --rm openjdk:9-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "9.0.4"
OpenJDK Runtime Environment (build 9.0.4+12-Debian-4)
OpenJDK 64-Bit Server VM (build 9.0.4+12-Debian-4, mixed mode)
Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): E7:A9:18:4F:40:9D:67:49:E3:23:79:49:B5:D5:EF:7C:4C:8F:DA:F7:B6:D6:7F:83:D6:BA:00:24:1A:5C:2B:86
jdk10
docker run -it --rm openjdk:10-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "10.0.2" 2018-07-17
OpenJDK Runtime Environment (build 10.0.2+13-Debian-2)
OpenJDK 64-Bit Server VM (build 10.0.2+13-Debian-2, mixed mode)
Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 62:D1:D9:52:46:1E:18:AD:07:0E:22:35:63:18:09:E2:51:23:F7:EE:63:FF:E4:52:78:4F:9E:1C:FA:7A:2B:D1
jdk11
docker run -it --rm openjdk:11-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "11.0.9.1" 2020-11-04
OpenJDK Runtime Environment 18.9 (build 11.0.9.1+1)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.9.1+1, mixed mode)
Warning: Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): FA:DC:77:FB:DE:FC:9C:93:45:03:C1:0A:77:F1:0B:5C:6A:97:D9:BF:E6:BA:32:85:E0:CE:06:34:C8:4D:87:06
Cause
jdk9(包括jdk9)以后的版本keystore默认类型使用PKCS12类型,而之前的版本keystore默认类型为JKS。
Resolution
keytool工具提供了jks转化为pkcs12类型的工具,命令如下
keytool -importkeystore \
-srckeystore server-trust.keystore \
-srcstoretype JKS \
-deststoretype PKCS12 \
-destkeystore server-trust.p12 \
-srcalias server-trust \
-destalias server-trust \
-srcstorepass changeit \
-deststorepass changeit \
-noprompt \
-v
系统默认的keystore.type
docker run -it --rm openjdk:8-jdk bash
root@7ddca7c491bf:/# java -version
openjdk version "1.8.0_302"
OpenJDK Runtime Environment (build 1.8.0_302-b08)
OpenJDK 64-Bit Server VM (build 25.302-b08, mixed mode)
root@7ddca7c491bf:/# cat ${JAVA_HOME}/jre/lib/security/java.security |grep -i 'keystore'
# Default keystore type.
keystore.type=jks
# Controls compatibility mode for the JKS keystore type.
# When set to 'true', the JKS keystore type supports loading
# keystore files in either JKS or PKCS12 format. When set to 'false'
# it supports loading only JKS keystore files.
keystore.type.compat=true
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# This filter, if configured, is used by the JCEKS KeyStore during the
docker run -it --rm adoptopenjdk/openjdk11:jdk-11.0.11_9-debian bash
cat ${JAVA_HOME}/conf/security/java.security |grep keystore
# Default keystore type.
keystore.type=pkcs12
# Controls compatibility mode for JKS and PKCS12 keystore types.
# When set to 'true', both JKS and PKCS12 keystore types support loading
# keystore files in either JKS or PKCS12 format. When set to 'false' the
# JKS keystore type supports loading only JKS keystore files and the PKCS12
# keystore type supports loading only PKCS12 keystore files.
keystore.type.compat=true
# trust anchor in the lib/security/cacerts keystore. If the jdkCA
# keystores. Values in the range 10000 to 5000000 are considered valid.
ref
- https://openjdk.java.net/jeps/229