Transitioning the default keystore format to PKCS#12

Weijun Wang at
Wed Oct 31 19:08:28 PDT 2012

A little off topic:

Do we still care about the JCEKS storetype? Maybe no one stores secret 
keys in a keystore?


On 11/01/2012 12:55 AM, Vincent Ryan wrote:
> Before considering migrating the platform default keystore format to PKCS12 its keystore implementation
> must at least match the functionality of JKS.
> I have developed a prototype of a multi-format keystore that understands both JKS and PKCS12
> formats - it checks for the JKS magic number to determine the format. By supporting both formats,
> existing applications that access keystores using the platform default keystore format, continue to
> function as expected.
> In addition, storing trusted certs in PKCS12 is now supported. I've selected the X.509
> extendedKeyUsage attribute to explicitly denote that a certificate is trusted - its default value is
> trusted-for-any-purpose. This well-known attribute is stored with the certificate in a PKCS12
> certBag.
> Webrev:
> Please send me any comments.
> Thanks.

More information about the security-dev mailing list