keytool -list displays “JKS” for a PKCS12 keystore [work-a-round]

Contents

1 The JAVA version
2 The Test
3 The fix
4 Conclusion

A server with Tomcat powered by OpenJDK 8 is using a keystore that is PKCS12 and not JKS. However, the keytool shows that the keystore type is JKS. I have accidentally discovered a work-a-round to this.

The JAVA version

java -version

openjdk version “1.8.0_191”
OpenJDK Runtime Environment (build 1.8.0_191-b12)
OpenJDK 64-Bit Server VM (build 25.191-b12, mixed mode)

The Test

keytool -list -keystore /root/.keystore -storepass password | grep "Keystore type"

Keystore type: jks

The fix

Modify the the java.security to change the Default keystore type from jks to pkcs12.

vim /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.191.b12-1.el7_6.x86_64/jre/lib/security/java.security

Repeat the test above.

keytool -list -keystore /root/.keystore -storepass password | grep "Keystore type"

Keystore type: pkcs12

Conclusion

Although this work-a-round works for a sanity check, I’m not sure it really matters. In any case, this appears to have been a bug fix in JDK 8u201.

https://bugs.openjdk.java.net/browse/JDK-8193171
https://bugs.openjdk.java.net/browse/JDK-8208962