-
Bug
-
Resolution: Done
-
Major
-
24.0 GA (24.0.2), 26.0 GA (26.0.4)
-
None
-
None
The migration guide 26.0 states: "For the PKCS12 files, the certs must be unencrypted, which means that no password is expected." However, when actually running keytool, an error occurs, requiring the -deststorepass to be at least 6 characters long.
A workaround is to use the following command:
openssl pkcs12 -in myTrustStore.p12 -nodes -password pass:123456 | openssl pkcs12 -export -out myTrustStore_nopass.p12 -nokeys -password pass:
However, the following error occurred, and the connection could not be established:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid requested target
So the best recommendation for the migration guide would be to advise using PEM files directly instead of creating and managing keystores.
This approach is simpler and avoids potential issues with openssl or keytool, which seem to have inconsistent behavior with empty passwords.
But we should mention the problem with pkcs12 files that the user is aware of it.