Java Bug : Mutual HTTPS authentication not possible with a non-extractable private key with Apple/KeychainStore

Jean-Yves Cronier cronier.jy at
Sat May 1 12:19:53 UTC 2021

I have imported my personal certificate in macOS keychain with "non-extractable" option (cf. <>).
Private key is now protected, and we can't export private key from macOS KeyChain
But I am unable to establish connexion with a web-API which require client certificate for mutual authentication with Java
It work perfectly well with curl/git, and browsers (safari/chrome)
 <>System / OS / Java Runtime Information
openjdk 11.0.11
macOS 11.3
 <>Reproducing the Issue
 <>Steps to Reproduce
1. Add personal certificate with "non-extractable" option. Example with a personal certificate sent to me in a P12 file named "my-certificate.p12", with following command-line:
security import my-certificate.p12 -x -P « my-strong-password"
2. Connect a site require mutual authentication (for example : <> )
 <>Expected Result
Display content detail of selected client certificate
 <>Actual Result
Error: No TLS client certificate presented 
 <>Source code for an executable test case

public class MutualAuthenticationTest {
	public static void main(String[] args) throws IOException {
		System.setProperty("", "KeychainStore");
		System.setProperty("", "NONE");
		System.setProperty("", "-");
		testUrl(new URL(""));

	public static void testUrl(URL targetUrl) throws IOException {
		HttpsURLConnection con = (HttpsURLConnection) targetUrl.openConnection();
		// Open the connection

		assert con.getLocalCertificates() != null && con.getLocalCertificates().length > 0 : "Must use a personnel certificate for mutual authentication";
		X509Certificate personalCertificate = (X509Certificate) con.getLocalCertificates()[0];
		assert personalCertificate.getSubjectDN() != null;
No possible workaround on MacOS which Apple/KeychainStore
NB : Perfectly work on Windows/MSCAPI with personnel certificate (with non-exportable private key option)

More information about the jdk-dev mailing list