I’m slightly confused about cacerts formats. An application I use recently had to upgrade it’s cacerts file. The original cacerts file was pk12 format (I assume, it’s binary), while the new format is clearly pem. I can use either cacert, but when I suggested someone having trouble with authentication upgrade to the new cacert he gets complaints because it is not a pk12 format.
What file format should cacert’s be? can it be either format? Does something configure/define which format it should expect?
Advertisement
Answer
On any normal Oracle Java installation (before Java 9, this is an old answer), cacerts should be a proprietary, binary, JKS key store type. I’ve checked this against 1.8.0_20. From 9 onwards it is replaced by a binary PKCS#12 key store (or rather, trusted certificate store).
To be sure you may use file cacerts on GNU systems (Linux). If you have something different you may have a different JRE or the cacerts file is replaced.
You can manage the contents of cacerts using the keytool command delivered with the JDK.
Note that the key store that contains the private key(s) for authentication usually is a PKCS#12 key store.