I have created a JKS trust-store for an application. (PKCS12 is not yet supported by the OpenJDK in production server)
I am trying to add a certificate to the truststore using the KeyStore API:
public addToTrustStore(List<String> certChain) {
String alias;
try {
KeyStore keyStore = loadTruststore();
for (String cert : certChain) {
alias = UUID.randomUUID().toString();
X509Certificate certificate = decodePEMCertificate(cert); // converts PEM format to X509Certificate
keyStore.setCertificateEntry(alias, certificate);
logger.debug("Added the certificate with DN: {0} to the "
+ "truststore with the alias: {1}", certificate.getSubjectDN());
}
} catch (KeyStoreException a) {
//process execption
}
}
Can anyone help me get past this red-only nature of this JKS?
Thanks in advance.
Solution: Summary : Bouncycastle doesn't permit write to JKS keystores. So we need to use BCFKS format keystore.
You can use the providers:
The keytool commands that worked for me:
Create keystore:
keytool -import -file pem.cert -alias "vmware" -storepass changeit -keystore truststore.bks -deststoretype BCFKS -noprompt -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar
Delete an entry:
keytool -delete -alias boguscert -storepass changeit -keystore truststore.bks -storetype BCFKS -provider org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -providerpath bc-fips-1.0.2.jar