xca icon indicating copy to clipboard operation
xca copied to clipboard
verified publisher icon chris2511

Feature request: Export options for truststore (keystore is already supported through PKCS12)

Open dia-susca opened this issue 9 months ago • 6 comments

Hi,

We need to create trustores and keystores for the certificates we manage. A keystore is easy to export, as a PKCS12 chain exported as pfx needs only renaming to .p12, if the application requires that particular file extension.

But, a truststore is not an export option - we should be able to export only the public keys for the Certification Authority and intermediates, in PKCS format.

I know it can be done by exporting the pem/cer and then creating the trust store by importing the certificates, but it would be nice to have a one-step process.

Thank you!

dia-susca avatar Mar 28 '25 13:03 dia-susca

  • What exact file format do you mean? PKCS#7?
  • Where do you import it?
  • Do you want all available CA certificates (root and intermediate)?
  • Do you want to select them?

chris2511 avatar Mar 29 '25 08:03 chris2511

Hi, thanks for the reply.

To answer your questions:

  • PKCS12 +/- JKS (for old times' sake?) - but just the public keys, no private keys. PKCS 7 afaik is not a java truststore valid format.
  • The idea is to not import the certificates in other files, but to use the exported keystore directly in Java/EE applications.
  • It would be nice to be selectable (certificate or full chain)
  • yes, please.

dia-susca avatar Mar 31 '25 12:03 dia-susca

My research result:

  • Java 9 uses PKCS#12 without private key as truststore https://stackoverflow.com/questions/11536848/keystore-type-which-one-to-use
  • An ordinary PKCS#12 file is not accepted: https://stackoverflow.com/questions/23935820/how-can-i-create-a-p12-or-pfx-file-without-a-private-key/23941513#23941513 6th comment on accepted answer:

While this works, the truststore is unusable with Java. sun.security.pkcs12.KCS12KeyStore requires all trust certs to have the following bag attribute: { joint-iso-itu-t(2) country(16) us(840) organization(1) oracle(113894) jdk(746875) crypto(1) id-at-trustedKeyUsage(1)

  • Openssl has recently been extended to support creating a java trust-store with the pkcs12 command: https://github.com/openssl/openssl/pull/19025

chris2511 avatar Apr 01 '25 20:04 chris2511

I'm not knowledgeable enough to understand the "bag attribute" comment, but exporting directly as PKCS#12 without private key as java truststore -> is it do-able then? I know I can manually create it after exporting from xca, it just would have been a nice feature to do it one-step.

dia-susca avatar Apr 02 '25 07:04 dia-susca

I'm not knowledgeable enough to understand the "bag attribute" comment, but exporting directly as PKCS#12 without private key as java truststore -> is it do-able then?

yes, it's just not super trivial ...

I know I can manually create it after exporting from xca, it just would have been a nice feature to do it one-step.

... with keytool -import -file certificate.cer -keystore truststore.p12 -storetype PKCS12, right?

chris2511 avatar Apr 02 '25 16:04 chris2511

Yes, that's the command. Basically going back to command-line and getting paths right laziness...Or I can use KeystoreExplorer for a visual tool to do the same, but I would have loved xca to be the one-stop-shop :).

dia-susca avatar Apr 03 '25 09:04 dia-susca