Creating PKCS12 file to use as java trust store

Question

I am trying to create a PKCS12 file containing only a certificate (no private keys). I am using the following command:

openssl pkcs12 -export -in ca.crt -out server-ca.pfx -name server-ca -nokeys

I can successfully use this pkcs12 file with curl and it validates my server certificate.

If I try to use this file as a trust store in java, I get the following error:

javax.net.ssl.SSLHandshakeException, with message: sun.security.validator.ValidatorException: No trusted certificate found.

I am using this file with:

val trustInput = new FileInputStream(".../server-ca.pfx")
val trustKeyStore = KeyStore.getInstance("PKCS12")
trustKeyStore.load(trustInput, "123456".toCharArray())
trustInput.close()

val trustFactory = TrustManagerFactory.getInstance("SunX509")
trustFactory.init(trustKeyStore)

val context = SSLContext.getInstance("TLS")
context.init(null, trustFactory.getTrustManagers, new SecureRandom())

However, if I create a JKS keystore containing the ca.crt file and then convert it to a pkcs12 file, my java application validates the server certificate properly, using the same code.

keytool -importkeystore -srckeystore server-ca.jks -destkeystore from-jks.pfx -srcstoretype JKS -deststoretype PKCS12

What openssl command do I need to use to create a pkcs12 file containing a single certificate that jvm accepts as a valid trust store?

Answer 1

I could not solve this using the sun security provider. Since I am using bouncy castle already, I initialized the trust store using the BC provider and now everything works properly.

val trustKeyStore = KeyStore.getInstance("PKCS12", "BC")