分类
devops

建议keystore type从JKS迁移到PKCS12类型

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using “keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12”.

Symptoms

root@5ce8824165f4:/tmp# java -version
java version "1.8.0_201"
Java(TM) SE Runtime Environment (build 1.8.0_201-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.201-b09, mixed mode)

root@5ce8824165f4:/tmp# keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB"

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
root@5ce8824165f4:/tmp# keytool -list -keystore test.keystore -storepass mystorepass
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1): 1B:A0:9B:93:F5:77:C7:4B:BA:F7:6A:30:47:03:A6:29:30:23:94:72

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".

jdk8

docker run -it --rm openjdk:8-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "1.8.0_275"
OpenJDK Runtime Environment (build 1.8.0_275-b01)
OpenJDK 64-Bit Server VM (build 25.275-b01, mixed mode)

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA1): 70:FA:FB:D2:36:AB:9C:45:63:29:89:EA:6A:6A:B9:73:23:B6:64:2F

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore test.keystore -destkeystore test.keystore -deststoretype pkcs12".

jdk9

docker run -it --rm openjdk:9-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "9.0.4"
OpenJDK Runtime Environment (build 9.0.4+12-Debian-4)
OpenJDK 64-Bit Server VM (build 9.0.4+12-Debian-4, mixed mode)
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): E7:A9:18:4F:40:9D:67:49:E3:23:79:49:B5:D5:EF:7C:4C:8F:DA:F7:B6:D6:7F:83:D6:BA:00:24:1A:5C:2B:86

jdk10

docker run -it --rm openjdk:10-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "10.0.2" 2018-07-17
OpenJDK Runtime Environment (build 10.0.2+13-Debian-2)
OpenJDK 64-Bit Server VM (build 10.0.2+13-Debian-2, mixed mode)
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): 62:D1:D9:52:46:1E:18:AD:07:0E:22:35:63:18:09:E2:51:23:F7:EE:63:FF:E4:52:78:4F:9E:1C:FA:7A:2B:D1

jdk11

docker run -it --rm openjdk:11-jdk bash -c 'java -version && keytool -genkeypair -alias "test" -keyalg "RSA" -keystore "test.keystore" -validity 5000 -keypass mykeypass -storepass mystorepass -dname "CN=mqttserver.ibm.com, OU=ID, O=IBM, L=Hursley, S=Hants, C=GB" && keytool -list -keystore test.keystore -storepass mystorepass'
openjdk version "11.0.9.1" 2020-11-04
OpenJDK Runtime Environment 18.9 (build 11.0.9.1+1)
OpenJDK 64-Bit Server VM 18.9 (build 11.0.9.1+1, mixed mode)
Warning:  Different store and key passwords not supported for PKCS12 KeyStores. Ignoring user-specified -keypass value.
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

test, Jan 1, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): FA:DC:77:FB:DE:FC:9C:93:45:03:C1:0A:77:F1:0B:5C:6A:97:D9:BF:E6:BA:32:85:E0:CE:06:34:C8:4D:87:06

Cause

jdk9(包括jdk9)以后的版本keystore默认类型使用PKCS12类型,而之前的版本keystore默认类型为JKS。

Resolution

keytool工具提供了jks转化为pkcs12类型的工具,命令如下

keytool -importkeystore \
-srckeystore server-trust.keystore \
-srcstoretype JKS \
-deststoretype PKCS12 \
-destkeystore server-trust.p12 \
-srcalias server-trust \
-destalias server-trust \
-srcstorepass changeit \
-deststorepass changeit \
-noprompt \
-v

系统默认的keystore.type

docker run -it --rm openjdk:8-jdk bash

root@7ddca7c491bf:/# java -version
openjdk version "1.8.0_302"
OpenJDK Runtime Environment (build 1.8.0_302-b08)
OpenJDK 64-Bit Server VM (build 25.302-b08, mixed mode)


root@7ddca7c491bf:/# cat ${JAVA_HOME}/jre/lib/security/java.security  |grep -i 'keystore'


# Default keystore type.
keystore.type=jks
# Controls compatibility mode for the JKS keystore type.
# When set to 'true', the JKS keystore type supports loading
# keystore files in either JKS or PKCS12 format. When set to 'false'
# it supports loading only JKS keystore files.
keystore.type.compat=true
#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
# This filter, if configured, is used by the JCEKS KeyStore during the
docker run -it --rm adoptopenjdk/openjdk11:jdk-11.0.11_9-debian bash

cat ${JAVA_HOME}/conf/security/java.security  |grep keystore

# Default keystore type.
keystore.type=pkcs12
# Controls compatibility mode for JKS and PKCS12 keystore types.
# When set to 'true', both JKS and PKCS12 keystore types support loading
# keystore files in either JKS or PKCS12 format. When set to 'false' the
# JKS keystore type supports loading only JKS keystore files and the PKCS12
# keystore type supports loading only PKCS12 keystore files.
keystore.type.compat=true
#       trust anchor in the lib/security/cacerts keystore.  If the jdkCA
# keystores. Values in the range 10000 to 5000000 are considered valid.


ref

  • https://openjdk.java.net/jeps/229