I am trying to create a PKCS12 file containing only a certificate (no private keys). I am using the following command:
openssl pkcs12 -export -in ca.crt -out server-ca.pfx -name server-ca -nokeys
I can successfully use this pkcs12 file with curl and it validates my server certificate.
If I try to use this file as a trust store in java, I get the following error:
javax.net.ssl.SSLHandshakeException, with message: sun.security.validator.ValidatorException: No trusted certificate found.
I am using this file with:
val trustInput = new FileInputStream(".../server-ca.pfx")
val trustKeyStore = KeyStore.getInstance("PKCS12")
trustKeyStore.load(trustInput, "123456".toCharArray())
trustInput.close()
val trustFactory = TrustManagerFactory.getInstance("SunX509")
trustFactory.init(trustKeyStore)
val context = SSLContext.getInstance("TLS")
context.init(null, trustFactory.getTrustManagers, new SecureRandom())
However, if I create a JKS keystore containing the ca.crt
file and then convert it to a pkcs12 file, my java application validates the server certificate properly, using the same code.
keytool -importkeystore -srckeystore server-ca.jks -destkeystore from-jks.pfx -srcstoretype JKS -deststoretype PKCS12
What openssl
command do I need to use to create a pkcs12 file containing a single certificate that jvm accepts as a valid trust store?
I could not solve this using the sun security provider. Since I am using bouncy castle already, I initialized the trust store using the BC provider and now everything works properly.
val trustKeyStore = KeyStore.getInstance("PKCS12", "BC")
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.