Reading a pkcs12 keystore always need storepass
Vincent Ryan
vincent.x.ryan at oracle.com
Fri Mar 6 15:07:42 UTC 2015
Yes cacerts is still in the JKS format but that might change given the additional features and
extensibility offered by PKCS12 keystores.
Also, since the cacerts keystore contains only root CA certs its certs could be handled differently.
For example, the certs could be stored unencrypted and/or separately from the regular certs.
This would allow passwordless access but at the cost of interoperability.
On 6 Mar 2015, at 14:00, Wang Weijun <weijun.wang at oracle.com> wrote:
>
>> 在 2015年3月6日,19:49,Vincent Ryan <vincent.x.ryan at oracle.com> 写道:
>>
>> If it helps then the PKCS12 implementation could be modified to use the empty password (“”)
>> when a null password is supplied.
>
> I'm not suggesting this. It's just the behavior change might break some existing codes. When I try to export a cert, I never provide any password.
>
> Also, cacerts is still in JKS now, right? Are we going to make it pkcs12? And if so what will the password be?
>
> --Max
More information about the security-dev
mailing list